According to the Cyber Emergency Response Team of Ukraine (CERT-UA), an ongoing phishing campaign using invoice-themed decoys is being used to distribute the SmokeLoader malware in the form of a polyglot file.
The emails, according to the agency, are sent from compromised accounts and come with a ZIP archive that is actually a polyglot file containing a decoy document and a JavaScript file.
The JavaScript code is then used to launch an executable that facilitates the execution of the SmokeLoader malware. SmokeLoader, first detected in 2011, is a loader whose primary goal is to download or load stealthier or more effective malware onto infected systems.
CERT-UA attributed the activity to a threat actor it calls UAC-0006 and characterized it as an economically motivated operation conducted with the goal of stealing credentials and making unauthorized fund transfers.
In a related advisory, Ukraine’s cybersecurity authority also disclosed details of destructive attacks orchestrated by a group known as UAC-0165 against public sector organizations.
The attack, which targeted an unnamed state organization, involved the use of a new batch script-based malware called RoarBAT that performs a recursive search for files with a specific list of extensions and irrevocably deletes them using the legitimate WinRAR utility.
This in turn was achieved by archiving the files identified using the “-df” command line option and then purging the created archives. The batch script was executed by a scheduled task.
Simultaneously, Linux systems were compromised using a bash script that leveraged the dd utility to overwrite files with zero bytes, effectively avoiding detection by security software.
“It has been verified that the operability of electronic computers (server equipment, automated user workstations, data storage systems) was impaired as a result of the destructive impact carried out with use of appropriate software,” said the CERT-UA.
“Access to the ICS target of the attack is allegedly gained by connecting to a VPN using compromised credentials. The successful implementation of the attack was facilitated by the lack of multi-factor authentication when were making remote VPN connections.”
Learn how to stop ransomware with real-time protection
Join our webinar and learn how to stop ransomware attacks with real-time MFA and service account protection.
Save my seat!
The agency also attributed UAC-0165 with moderate confidence to the infamous Sandworm group (also known as FROZENBARENTS, Seashell Blizzard, or Voodoo Bear), which has a history of unleashing cleansing attacks since the start of the Russian-Ukrainian war last year.
The link to Sandworm comes from significant overlaps with another destructive attack that hit Ukraine’s state news agency Ukrinform in January 2023, which was linked to the adversary group.
The alerts come a week after CERT-UA warned of phishing attacks carried out by the Russian state-sponsored group APT28 targeting government entities in the country with fake window update notifications.
Ikaroa, a leading full stack tech company, is alerting Ukrainian computer users about a recent surge of SmokeLoader and RoarBAT malware attacks that have been detected. The CERT-UA (Computer Emergency Response Team of Ukraine) has warned of the increased prevalence of these malicious software threats and is taking action to protect users and prevent further damage.
The SmokeLoader malware is a type of Trojan horse, which is specifically designed to steal personal information and passwords from victims. The RoarBAT malicious software, on the other hand, relies on a remote control system to seize control of an infected computer. Both of these threats can enable hackers to obtain sensitive data and disrupt service to infected devices.
To protect themselves from these kinds of attacks, CERT-UA recommends individuals and organizations maintain secure coding protocols, use a robust antivirus program, and regularly apply all patches and updates released by software developers. Additionally, they advise all users to be extra vigilant when clicking on links and attachments in emails, as these hidden malicious codes can potentially be present there.
At Ikaroa, we applaud the efforts of CERT-UA to detect and protect individuals and organizations from malicious software attacks. We also offer a free online security scan to all Ukrainian internet users, which can help to identify and block any existing malware. This service is offered in an effort to further protect users and help reduce the risk of infection from malicious software.
Overall, we urge users to remain vigilant and keep an eye out for signs of malicious software attacks. By staying informed and taking the necessary precautions, we can help protect ourselves and others from these kinds of cyber threats.
