The Governmental Computer Emergency Response Team of Ukraine CERT-UA, which operates under the State Special Communications Service, has recorded the third cyberattack by the UAC-0006 group in the last 10 days using “invoice/payment” emails.
The message that comes to the user contains an attachment in the form of an archive file that contains files and archives with names like: “Payment instruction of TIN and extract from the register”, “Extract from the register dated 24.07.2023_Document code…”, etc. Opening such files will result in downloading and launching the SmokeLoader malware.
For the mass distribution of emails, the attackers use botnets consisting of more than 1000 computers.
According to CERT-UA experts, the activation of the UAC-0006 group may lead to an increase in the number of cases of fraud using remote banking systems.
Business managers and accountants should pay attention to strengthening the protection of automated workstations designed to generate, sign and send payments by using software security tools. It is also necessary to contact system administrators to limit the ability to run standard utilities (wscript.exe, cscript.exe, powershell.exe, mshta.exe) and filter outgoing information flows.
As previously noted by CERT-UA experts, the activity of the UAC-0006 group is financially motivated and was carried out from 2013 to July 2021. In May 2023, the attackers resumed their activities.
A typical malicious intent is to infect accounting computers used to support financial activities; steal authentication data (login, password, key/certificate) and create unauthorized payments.
