Smoke Loader UAC-0006, millions in losses (CERT-UA#7648, CERT-UA#7688, CERT-UA#7699, CERT-UA#7705) Update 20.03.2024

Smoke Loader Analysis Update

Latest update 20.03.2024 documentation research Smoke Loader CERT-UA and Unit 42 documentation here!

General Information — Translation of the Ukranian UAC-0006 you can find here

Smoke Loader

In the period from October 2 to October 6, 2023, the Government Computer Emergency Response Team of Ukraine CERT-UA recorded at least four waves of cyberattacks carried out by the UAC-0006 group using the SmokeLoader malware.

Legitimate compromised e-mails are used to send e-mails, and SmokeLoader is delivered to computers in several ways, including:

• EML -> ZIP (polyglot) -> ZIP -> SFX -> BAT -> EXE (SmokeLoader)
• EML -> ZIP (Polyglot) -> ZIP -> JS (Loader) -> EXE (SmokeLoader)
• EML -> ZIP (Polyglot) -> EXE (SmokeLoader)
• EML -> ZIP (Polyglot) -> JS -> EXE (SmokeLoader)
• EML -> PDF -> ZIP (Polyglot) -> JS -> EXE (SmokeLoader)
• EML -> PDF -> ZIP -> ZIP -> JS -> EXE (SmokeLoader)

The current configuration of SmokeLoader (compile date: 2023–09–11 11:58:47) has been in use since the second decade of September to the present. In addition, the malware control server is located on the technical site of Trader Soft LLC (@simplecloud.ru, OGRN:1089848043086, St. Petersburg, Chekel N.V.):

• 85.143.216[.] 129 (from 16.09.2023)
• 85.143.172[.] 45 (from 10/01/2023)

*It should be noted that the use of the infrastructure of Trader Soft LLC for the placement of malware management servers is prohibited by clause 5 of Annex N1 to the Offer Agreement.

We would like to remind you that the attackers’ intention is to defeat accountants’ computers in order to steal authentication data (login, password, key/certificate) and/or replace the details of financial documents in remote banking systems in order to send unauthorized payments.

We draw attention to the fact that during August-September 2023, the mentioned group attempted to steal funds worth tens of millions of hryvnias.

Once again, we emphasize the need to prioritize the security of automated workplaces of accountants through the use of software protection, limiting the ability to run standard utilities (wscript.exe, cscript.exe, powershell.exe, mshta.exe) and filtering outgoing information flows, details in the article “How to be responsible and hold the cyber front” (https://cert.gov.ua/article/5436463).

Additionally, at the level of the relevant banking institution, make sure that the basic anti-fraud rules and other security settings are applied:

• payment to a new counterparty;
• out-of-limit amount;
• restriction of access to the client-bank by a list of trusted IP addresses.

Cyber Threat Indicators:

Files:

f0c949f396dca8bdf6d67cf6ad4adfeb 31be756b4315098a94855a8b236bcf6e55d97acbc5cebe75d1a668dff45bb82b invoice_of_SF-0001871_and_act_of_the_fact_from_29_09_2023.zip

ad3093db8fc1d9273bfd61db1c9f5f79 3ac06154dea00c6f17fba1c52956affdda59eba036b3d5d077c37c93fe277a26 invoice_SF-0001871.XLS

67d4e3736690f1863bb22681faecd2ba 90ed5f6719265e25c3483b11704e3158622128816def1f7515988b7de5f5f1de conversations.doc

ae5a549b9d3f7efb1197df0928b28a47 8b4b9b473f73b70c55d21d33149ced0c234fff919d15ff73cca22b93818a785c act_of_29_09_2023r_for_rah_UA493077700000026002711166191. JPEG.exe

c4029c4f5ec1aa2db0d957fe712f57b8 41fe1fea884daee189076a5bb5b288852ed5b72d3b89576b740be6baceaa69c5 akt.jpeg

861970dd2bc82ddea7fc4b6fff21b69d 9b50c4624bd60aea94b85afeeac6d61c485bee42fdeeffedc5d9617f4650c51c Payment_9312_0580_6944_3255.bat

e0abf9e0e69184f9a928382959c9ac80 e5314f7a9969af109606c84567ecf951570dd1495c400a1e5bf215fd5cdb3fd2 Pax_9312_0580_6944_3255_29.09.2023p.jpg

3b6dbc53b1960269184585ede349e347 55076f9a6e5ee25e2deb7b8417431bd71ff34a74c600efbd53144a9b0a178946 account_to_act_NP-010140544_from_30.09.2023_01102023223751.zip

0c174d287a4af1ad05fd1b8ea40c7003 7781122a4a2aea14f0d7cab9d9a1a9cf0e4e9ef5f31639449f56a0b1ecebb2d9 account_to_act_NP-010140544_from_30.09.2023_01102023223751.xlsx

a12a7a8edd7fee2ec3b2b47e0a33830f 143310670009099214b1b1a812e98a485db3e2879ab35dca8ba63005a62a610c act_of_03.10.2023_Rah_UA493077700000026002711166194. XLS.exe

24a3f685542a83934f311b69714e6392 411525bb70e9579cc4dc62458bbcfc88ca44d6ca6046a43e4e2ef13873edb1a8 specification to act NoNP-010140544 dated 30.09.2023.zip

0c174d287a4af1ad05fd1b8ea40c7003 7781122a4a2aea14f0d7cab9d9a1a9cf0e4e9ef5f31639449f56a0b1ecebb2d9 account_to_act_NP-010140544_from_30.09.2023_01102023223751.xlsx

a3ca1983e0741d9d5816af3f89570472 fdf8a89e8c90ed0653780acc77c180185b8971e62d2a02dcaabcfc456d05bd96 1.Account_to_act_NP-010140544_from_30.09.2023_01102023223751.XLS.js

65c7d9e822c9f2b8291202128644e825 9a528b2b31d9d59018878fdf3b9d8db235df606500c67a4b8be3075701b014fc mstsc.exe

b6c134f4f94612f903f6e555af707553 493f708129bf25ff4bb734c179d336f223d9d21ea53b7e5e52f9535a72415bfd 2.Act_of_animals_from_03.10.2023_Rah_UA493077700000026002711166194. XLS.js

ccbdbaa1f2ba8322554fcfa772d20862 6999f5f3c6824f27b5a1fb436c59d369f6f1ec08365d48cd1c8d21d1058eaafc 3.Extract_from_register_from_03.10.2023_Rah_UA493077700000026002711166194. XLS.js

0728c2a5375b615042020acdf26f4567 d895f40a994cb90416881b88fadd2de5af165eec1cd41b0ddd08fa1d6b3262bb list_of_documents_for_acquaintance.pdf

45c63b6de683c5bb62cd93ace3c9433a 2c44c9b445d2efc2f46e463d933da2ffc1d3ba6718bd67d3957c3f916b7c79fe List_of_documents_for_acquaintance.zip

b6c134f4f94612f903f6e555af707553 493f708129bf25ff4bb734c179d336f223d9d21ea53b7e5e52f9535a72415bfd 2.Act_of_animals_from_03.10.2023_Rah_UA493077700000026002711166194. XLS.js

65c7d9e822c9f2b8291202128644e825 9a528b2b31d9d59018878fdf3b9d8db235df606500c67a4b8be3075701b014fc mstsc.exe

ccbdbaa1f2ba8322554fcfa772d20862 6999f5f3c6824f27b5a1fb436c59d369f6f1ec08365d48cd1c8d21d1058eaafc 3.Extract_from_register_from_03.10.2023_Rah_UA493077700000026002711166194. XLS.js

a3ca1983e0741d9d5816af3f89570472 fdf8a89e8c90ed0653780acc77c180185b8971e62d2a02dcaabcfc456d05bd96 1.Account_to_act_NP-010140544_from_30.09.2023_01102023223751.XLS.js

99c11a67c6ab54c5a14dbb0f44edea44 739e735aa73cfdbfc08c696e0426434aa78139110b416313d2a39d93915ee318 Nov.zip

fe7c42b5711cdc65af404ef5c299f9ce 0f93344347469ebef7b0d6768f6f50928b8e6df7bc84a4293b7c4a7bb5b98072 APPLICATION.xlsx

66d62c348cb3b50d2edd5a9ae6778b51 40c9bc7186f21b6e2a7da28632e70d9b9bce01cc63c692d4383ac03e13e45533 Nov.pdf

b6d8f49b3d0f81514e8a40c9a03d8636 ac1aedd7d08d3e92ded28d07944d8a8039650a36dec8b4a5d7b675ce2c5512c4 2.Act_of_animals_from_03.10.2023_Rah_UA493077700000026002711166194. XLS.js

331ddbbd644c1088f56497ea066cf804 ebbf474d69519b7ded60c1dab807dab492c33d9caf76e6495c2ee92be573011e mstsc.exe

f9fb94165f54cd0b5b0c00e1880d5363 41b74077e7707dfce2752668a3201e3bc596ade5594535c266e3249c2e697cb2_document_list_for_review.zip

Network:

85.143.216[.] 129

85.143.172[.] 45

hXXp://diplombar[.] by/

hXXp://dublebomber[.] Ru/

hXXp://iloveua[.] Ir/

hXXp://ipoluchayteudovolstvie[.] Ru/

hXXp://kozachok777[.] Ru/

hXXp://moyabelorussiya[.] by/

hXXp://nomnetozhedenyuzhkanuzhna[.] Ru/

hXXp://popuasyfromua[.] Ru/

hXXp://propertyiran[.] Ir/

hXXp://propertyminsk[.] by/

hXXp://prostosmeritesya[.] Ru/

hXXp://restmantra[.] by/

hXXp://sakentoshi[.] Ru/

hXXp://specnaznachenie[.] Ru/

hXXp://super777bomba[.] Ru/

hXXp://tvoyaradostetoya[.] Ru/

hXXp://yavasponimayu[.] Ru/

hXXp://zakrylki809[.] Ru/

hXXp://zasadacafe[.] by/

diplombar[.] by

Dublebomber[.] Ru

iloveua[.] Ir

ipoluchayteudovolstvie[.] Ru

kozachok777[.] Ru

moyabelorussiya[.] by

nomnetozhedenyuzhkanuzhna[.] Ru

popuasyfromua[.] Ru

propertyiran[.] Ir

propertyminsk[.] by

prostosmeritesya[.] Ru

Residual Mantra[.] by

Sakentoshi[.] Ru

specnaznachenie[.] Ru

super777bomba[.] Ru

tvoyaradostetoya[.] Ru

yavasponimayu[.] Ru

zakrylki809[.] Ru

zasadacafe[.] by

Graphics

End of Translation