Esme brings a wealth of knowledge and experience to our website, specializing in all aspects of DarkWeb security. With a deep understanding of the intricate workings of the DarkWeb and its associated cybersecurity risks, Esme curates insightful and informative content for our readers.
Latest posts by Esme Greene (see all)
- The Gamaredon Organization That Steals Data in 30 minutes, is Combated by Cyber Defenders - August 20, 2023
- Microsoft IIS Servers Targeted by Lazarus - August 18, 2023
- AI-Powered Hacker Threats - August 18, 2023
The computers utilized by financial accountants are the primary focus of the attack. Using the SmokeLoader virus, the attackers want to get remote access to financial systems.
An Initiative With a Monetary Motivation
According to the notice, the hackers are sending spam emails with the subject “bill/payments” and a ZIP file attached.
The attacks have been attributed to the UAC-0006 gang, which is believed to have been active from around 2013.
Criminals seek to obtain authentication-related information, like credentials, keys, or certificates, and then conduct illicit financial transactions into accounts under their control.
The ZIP archive attached is a polyglot file, which means it is a single file that may be interpreted as numerous file types. It is made up of a dummy document and a JavaScript file.
Investigating the Polyglot File Further
PowerShell is used by the polyglot file pax_2023_AB1058..js to download and run additional payloads. It specifically downloads a program named portable.exe, which when executed activates the SmokeLoader virus.
The file’s generation date and the domain’s registration date imply that the campaign began in April 2023. When activated, SmokeLoader injects malicious code into presently executing processes and begins downloading further payloads.
Security Measures
The CERT-UA has proposed that Javascript loaders that are often utilized at the start of an attack, can be prevented by preventing the launch of Windows Script Host (wscript.exe) on the PC. They have also given appropriate indicators of compromise (IoCs) that may be used to limit the SmokeLoader-related file on the opposite side of the safety fence.