According to Ukraine’s Computer Emergency Response Team (CERT-UA), an ongoing phishing campaign using invoice-themed lures is being used to distribute SmokeLoader malware in the form of polyglot files.
According to the agency, the email was sent using a compromised account and was actually accompanied by a ZIP archive, which is a multilingual file containing decoy documents and JavaScript files.
It then uses JavaScript code to launch an executable that prepares the SmokeLoader malware to run. SmokeLoader is a loader that was first detected in 2011 and whose main purpose is to download or load more stealthy or effective malware onto an infected system.
CERT-UA believes this activity is attributed to a threat actor called UAC-0006, characterized as a financial operation carried out to steal credentials and conduct unauthorized fund transfers. added.
In a related advisory, Ukrainian cybersecurity officials also revealed details of a devastating attack against public sector organizations organized by a group known as UAC-0165.
Attacks targeting an unnamed state agency required the use of a new batch script-based wiper malware called RoarBAT. RoarBAT recursively searches for files with a specific list of extensions and irrevocably deletes them using legitimate WinRAR utility.
This was accomplished by archiving the identified files using the “-df” command line option and then purging the resulting archive. A batch script was executed by a scheduled task.
At the same time, a Linux system was compromised using a bash script that leveraged the dd utility to overwrite files with 0 bytes, effectively avoiding detection by security software.
“We have found that the destructive effects of using appropriate software have resulted in the impairment of the operability of electronic computers (server equipment, automated user workspaces, data storage systems),” CERT said. -UA said.
“By connecting to a VPN with compromised authentication data, it is said that access to the ICS targeted by the attack can be gained. facilitated by the lack of multi-factor authentication in
Learn how to stop ransomware with real-time protection
Join our webinar to learn how real-time MFA and service account protection can stop ransomware attacks.
Save my seat!
Authorities have also attributed UAC-0165 to the notorious Sandworm group (aka FROZENBARENTS, Seashell Blizzard, or Voodoo Bear) with moderate confidence. The group has a history of unleashing wiper attacks since the start of the Russian-Ukrainian war last year.
The link to Sandworm stems from significant overlap with another devastating attack that hit Ukraine’s state-owned news agency Ukrinform in January 2023.
The alert came a week after CERT-UA warned that the Russian government-backed group APT28 was using fake Window update notifications to launch phishing attacks targeting government agencies in the country.
