UAC-0006 Distributes SmokeLoader Backdoor

Category: Threat Actor Activity | Industry: Global | Source: CERT-UA

On May 29th, 2023, the Ukrainian Computer Emergency Response Team (CERT-UA) received reports of a malicious campaign involving the distribution of the SmokeLoader malware backdoor. The threat actors behind this campaign used compromised email accounts to distribute phishing emails to victims. The phishing emails have been found to include an archive file attachment that may contain HTML files or virtual disk files, such as VHDX or VHD. These files are used to execute a JavaScript loader, which subsequently downloads an executable file and initiates the installation of SmokeLoader. An error was spotted by CERT-UA, noticing in one VHDX file the infection led to a Cobalt Strike beacon. Based on the use of Russian domains to host the SmokeLoader botnet and repurposing of tools, CERT-UA attributes the campaign to a threat group tracked as UAC-0006.

Anvilogic Scenario:

• Zip/LNK Leads to LOLBins and Actions on Objectives

Anvilogic Use Cases:

• Compressed File Execution
• Wscript/Cscript Execution
• Network Connection with Suspicious Folder

‍