UAC-0006 Distributes SmokeLoader Backdoor

On May 29th, 2023, the Ukrainian Computer Emergency Response Team (CERT-UA) received reports of a malicious campaign involving the distribution of the SmokeLoader malware backdoor. The threat actors behind this campaign used compromised email accounts to distribute phishing emails to victims. The phishing emails have been found to include an archive file attachment that may contain HTML files or virtual disk files, such as VHDX or VHD. These files are used to execute a JavaScript loader, which subsequently downloads an executable file and initiates the installation of SmokeLoader. An error was spotted by CERT-UA, noticing in one VHDX file the infection led to a Cobalt Strike beacon. Based on the use of Russian domains to host the SmokeLoader botnet and repurposing of tools, CERT-UA attributes the campaign to a threat group tracked as UAC-0006.