top of page

SmokeLoader malware being distributed with invoice-themed phishing lures

In a recent blog post, CERT-UA has announced they are aware of an ongoing phishing campaign that is being used to distribute the SmokeLoader malware. The emails are being sent using compromised accounts and come with a ZIP archive that, upon closer inspection, is actually a polyglot file containing a decoy document and a JavaScript file. The JavaScript code is then used to launch an executable that paves the way for the SmokeLoader malware to be executed. SmokeLoader, first detected in 2011, is a loader whose main objective is to download or load a stealthier or more effective malware onto infected systems. CERT-UA has attributed the activity to a threat actor they have dubbed "UAC-0006" and has characterized the operation as being financially motivated with the goal of stealing credentials and making unauthorized fund transfers. In a related advisory, Ukraine's cybersecurity authority has also revealed details of destructive attacks orchestrated by a group known as "UAC-0165" against public sector organizations. The attack, which targeted an unnamed state organization, entailed the use of a new batch script-based wiper malware called "RoarBAT" that performs a recursive search for files with a specific list of extensions and irrevocably deletes them using the legitimate WinRAR utility.

bottom of page