HQ/EMEAFind out how we can help your business
Ukrainian law enforcement agencies released an advisory regarding the recent SmokeLoader campaign targeting their economic and government entities.
Based on reports, these attacks primarily adopt the SmokeLoader malware to breach systems and steal sensitive data. This highly sophisticated main functions as a loader that downloads additional covert and effective malicious software into targeted systems.
Its modular design enables it to run various capabilities, including the theft of credentials, distributed denial-of-service (DDoS) attacks, and intercepting keystrokes.
The SmokeLoader campaign became prevalent in the past few months since it is available for purchase to different threat groups.
According to investigations, the SmokeLoader campaign could come from different hackers since the developers sell it at various prices. The cost ranges from $400 for the basic bot to $1,650 for the complete package, which includes all available plugins and functions.
The researchers have yet to attribute this campaign to a specific hacker group directly. Still, they did observe an increase in Russian domain registrars, suggesting potential connections to Russian cybercriminal operations.
In a previous incident in May, Ukraine’s CERT-UA linked the SmokeLoader activity to a threat actor identified as UAC-0006, describing it as a financially motivated operation focused on stealing credentials and conducting unauthorised fund transfers.
The NCSCC researchers noted that the attacks on Ukrainian organisations, involving both financially motivated cybercriminals and state-sponsored hackers, indicate a multifaceted evolution of the threat landscape in Ukraine.
Regarding the recent campaign, the hackers employed SmokeLoader to target various entities, including state, private, and financial institutions. Their main goal was to target the accounting departments.
The hackers used specially crafted, financially-themed emails, which generated a sense of urgency and relevance to deceive their targets. In addition, the operators obfuscated the SmokeLoader within layers of seemingly harmless financial documents.
They have also employed various evasion tactics that allowed them to breach systems and remain undetected. After infiltration, the SmokeLoader operators harvested device information, such as operating system details and location data, endangering individuals who suffered data exposure.
The sudden rise of SmokeLoader campaigns against Ukraine implies that their geopolitical conflict against Russia continues. Ukrainian organisations should be wary of these malicious attacks, especially from the financial and government sectors.
