The Ukrainian government’s Computer Emergency Response Team (CERT-UA) has detected and investigated another campaign of emails on the topic of “bills” by the hacker group UAC-0006.
The attackers send emails with ZIP or RAR-archive attachments containing SmokeLoader malware. Legitimate compromised email accounts are used to send them.
CERT-UA notes a number of changes in the tactics, techniques and procedures of UAC-0006:
- the use of multiple chains of damage;
- the distributed SmokeLoader sample contains 26 URLs of the botnet control server (the vast majority of domains are not registered);
- the detection of Cobalt Strike Beacon malware may indicate the expansion of the list of tools used by the group.
The attackers use Russian domain name registrars and providers to register domain names and host botnet control servers: @reg.ru, @nic.ru, @iqhost.ru, @macloud.ru, @cloudx.ru, which facilitate the implementation of the malicious plan.
As CERT-UA reminds, Windows Script Host (wscript.exe, cscript.exe) is used to run the JavaScript loader that delivers and runs SmokeLoader. In this regard, in order to reduce the attack surface, it is recommended to limit the possibility of using this technology on a computer.
CERT-UA also notes that the activity of the UAC-0006 group is financially motivated and was carried out from 2013 to July 2021. The new activities, which were recorded in May 2023, were a kind of “return” of the group.
