• Wed. Oct 18th, 2023

SmokeLoader is Distributed by a Phishing Campaign Using a Fake Invoice

Avatar photo

ByEsme Greene

Jul 17, 2023
SmokeLoader Distributed via Phishing Campaign
Esme Greene
Latest posts by Esme Greene (see all)

The computers utilized by financial accountants are the primary focus of the attack. Using the SmokeLoader virus, the attackers want to get remote access to financial systems.

An Initiative With a Monetary Motivation

According to the notice, the hackers are sending spam emails with the subject “bill/payments” and a ZIP file attached.

The attacks have been attributed to the UAC-0006 gang, which is believed to have been active from around 2013.

Criminals seek to obtain authentication-related information, like credentials, keys, or certificates, and then conduct illicit financial transactions into accounts under their control.

The ZIP archive attached is a polyglot file, which means it is a single file that may be interpreted as numerous file types. It is made up of a dummy document and a JavaScript file.

Investigating the Polyglot File Further

PowerShell is used by the polyglot file pax_2023_AB1058..js to download and run additional payloads. It specifically downloads a program named portable.exe, which when executed activates the SmokeLoader virus.

The file’s generation date and the domain’s registration date imply that the campaign began in April 2023. When activated, SmokeLoader injects malicious code into presently executing processes and begins downloading further payloads.

Security Measures

The CERT-UA has proposed that Javascript loaders that are often utilized at the start of an attack, can be prevented by preventing the launch of Windows Script Host (wscript.exe) on the PC. They have also given appropriate indicators of compromise (IoCs) that may be used to limit the SmokeLoader-related file on the opposite side of the safety fence.

Avatar photo

Esme Greene

Esme brings a wealth of knowledge and experience to our website, specializing in all aspects of DarkWeb security. With a deep understanding of the intricate workings of the DarkWeb and its associated cybersecurity risks, Esme curates insightful and informative content for our readers.