Source: www.govinfosecurity.com – Author: 1
Attack Surface Management
,
Security Operations
Hackers Using Compromised Mail to Deliver the Malware
Akshaya Asokan (asokan_akshaya) •
May 31, 2023
Ukrainian cyber defenders are warning users for the second time this month to be aware of financially-motivated phishing campaigns that load the SmokeLoader malware onto computers.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
The Computer Emergency Response Team of Ukraine in a Monday alert says hackers tracked as UAC-0006 use compromised email addresses to send compressed files containing JavaScript loaders for SmokeLoader.
SmokeLoader is the name for a large family of Trojans known since 2011 that can be used to load additional malware but also has plugins for information exfiltration. Mitre notes the malware is “notorious for its use of deception and self-protection.”
Cyber defenders also say the campaign may attempt to load Cobalt Strike Beacon, penetration testing software used to execute PowerShell scripts, download files and surveil users.
A SmokeLoader sample analyzed by CERT-UA contained a list of 26 URLs for command and control servers, although the vast majority of the domains were unregistered. The hackers use Russian domain name registrars and providers. The government agency says UAC-0006 is financially motivated and typically targets computers used by accountants. It looks for access to banking systems and credential data in order to create unauthorized payments.
CERT-UA earlier this month spotted UAC-0006 using compromised email accounts with subject “bill/payment” and an attached .zip file containing a SmokeLoader launcher.
Since the SmokeLoader Javascript loaders is activated using Microsoft’s automated scripting tool Windows Script Host, CERT-UA recommends limiting end user access to the tool.
Original Post URL: https://www.govinfosecurity.com/ukrainian-cert-warns-new-smokeloader-campaign-a-22203
Category & Tags: –
