On July 13, the Governmental Computer Emergency Response Team of Ukraine CERT-UA, which operates under the State Special Communications Service, detected another massive distribution of dangerous emails with the subject line “Bills”. The messages contain an attachment named “Reconciliation_Act_and_Account_of_12_07_2023.zip”, which if opened will eventually lead to the download and launch of the SmokeLoader malware.
This time, the malware configuration file contains 45 domain names, of which only 5 have an A-record at the time of analysis (IP address: 193.106.174[.]173; provider @iqhost[.]ru, Russia).
It should be noted that, in order to ensure survivability, SmokeLoader’s functionality provides the ability to determine the current A-records for domain names by accessing the DNS servers of the @dnspod[.]com service.
Once again, the attackers used compromised email accounts to distribute the emails. The activity is tracked by the UAC-0006 identifier.
We remind that CERT-UA has recently reported similar activities of this group. Experts noted that the activity of the UAC-0006 group was financially motivated and took place from 2013 to July 2021. In May 2023, the attackers launched another campaign of attacks.
A typical malicious intent is to infect accounting computers used to support financial activities; steal authentication data (login, password, key/certificate) and create unauthorized payments.