Attack Surface Management
,
Security Operations
Hackers Using Compromised Email Addresses to Deliver the Malware
Ukrainian cyber defenders are warning users for the second time this month to be aware of financially motivated phishing campaigns that load the SmokeLoader malware onto computers.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
The Computer Emergency Response Team of Ukraine in a Monday alert said hackers tracked as UAC-0006 use compromised email addresses to send compressed files containing JavaScript loaders for SmokeLoader.
SmokeLoader is the name for a large family of Trojans known since 2011 that can be used to load additional malware but also has plug-ins for information exfiltration. Mitre said the malware is “notorious for its use of deception and self-protection.”
Cyber defenders also say the campaign may attempt to load Cobalt Strike Beacon – penetration testing software used to execute PowerShell scripts, download files and surveil users.
A SmokeLoader sample analyzed by CERT-UA contained a list of 26 URLs for command-and-control servers, although the vast majority of the domains were unregistered. The hackers use Russian domain name registrars and providers. The government agency says UAC-0006 is financially motivated and typically targets computers used by accountants. It looks for access to banking systems and credential data in order to create unauthorized payments.
CERT-UA earlier this month spotted UAC-0006 using compromised email accounts with the subject “bill/payment” and an attached .zip
file containing a SmokeLoader launcher.
Since the SmokeLoader JavaScript loader is activated using Microsoft’s automated scripting tool Windows Script Host, CERT-UA recommends limiting end-user access to the tool.