Source: www.databreachtoday.com – Author: 1
Attack Surface Management
,
Security Operations
Hackers Using Compromised Email Addresses to Deliver the Malware
Akshaya Asokan (asokan_akshaya) •
May 31, 2023
![Ukrainian CERT Warns of New SmokeLoader Campaign](https://130e178e8f8ba617604b-8aedd782b7d22cfe0d1146da69a52436.ssl.cf1.rackcdn.com/ukrainian-cert-warns-new-smokeloader-campaign-showcase_image-9-a-22203.jpg)
Ukrainian cyber defenders are warning users for the second time this month to be aware of financially motivated phishing campaigns that load the SmokeLoader malware onto computers.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
The Computer Emergency Response Team of Ukraine in a Monday alert said hackers tracked as UAC-0006 use compromised email addresses to send compressed files containing JavaScript loaders for SmokeLoader.
SmokeLoader is the name for a large family of Trojans known since 2011 that can be used to load additional malware but also has plug-ins for information exfiltration. Mitre said the malware is “notorious for its use of deception and self-protection.”
Cyber defenders also say the campaign may attempt to load Cobalt Strike Beacon – penetration testing software used to execute PowerShell scripts, download files and surveil users.
A SmokeLoader sample analyzed by CERT-UA contained a list of 26 URLs for command-and-control servers, although the vast majority of the domains were unregistered. The hackers use Russian domain name registrars and providers. The government agency says UAC-0006 is financially motivated and typically targets computers used by accountants. It looks for access to banking systems and credential data in order to create unauthorized payments.
CERT-UA earlier this month spotted UAC-0006 using compromised email accounts with the subject “bill/payment” and an attached .zip
file containing a SmokeLoader launcher.
Since the SmokeLoader JavaScript loader is activated using Microsoft’s automated scripting tool Windows Script Host, CERT-UA recommends limiting end-user access to the tool.
Original Post url: https://www.databreachtoday.com/ukrainian-cert-warns-new-smokeloader-campaign-a-22203
Category & Tags: –
Views: 0