Hackers attack again via emails with the subject line “bills”

New cyberattack aims to steal email login credentials

On July 13, the Governmental Computer Emergency Response Team of Ukraine CERT-UA, which operates under the State Special Communications Service, detected another massive distribution of dangerous emails with the subject line “Bills”. The messages contain an attachment named “Reconciliation_Act_and_Account_of_12_07_2023.zip”, which if opened will eventually lead to the download and launch of the SmokeLoader malware.

This time, the malware configuration file contains 45 domain names, of which only 5 have an A-record at the time of analysis (IP address: 193.106.174[.]173; provider @iqhost[.]ru, Russia).

It should be noted that, in order to ensure survivability, SmokeLoader’s functionality provides the ability to determine the current A-records for domain names by accessing the DNS servers of the @dnspod[.]com service.

Hackers attack again via emails with the subject line "bills"

Once again, the attackers used compromised email accounts to distribute the emails. The activity is tracked by the UAC-0006 identifier.

We remind that CERT-UA has recently reported similar activities of this group. Experts noted that the activity of the UAC-0006 group was financially motivated and took place from 2013 to July 2021. In May 2023, the attackers launched another campaign of attacks.

A typical malicious intent is to infect accounting computers used to support financial activities; steal authentication data (login, password, key/certificate) and create unauthorized payments.


Please enter your comment!
Please enter your name here