CERT-UA Warns of SmokeLoader and RoarBAT Malware Attacks Against Ukraine

CERT-UA, Ukraine’s Computer Emergency Response Team, has issued a warning about two malware attacks against the country. The first involves the SmokeLoader malware, which is being distributed via an ongoing phishing campaign that uses invoice-themed lures. The emails are sent using compromised accounts and come with a ZIP archive that, in reality, is a polyglot file containing a decoy document and a JavaScript file. The JavaScript code is then used to launch an executable that paves the way for the execution of the SmokeLoader malware. SmokeLoader, first detected in 2011, is a loader whose main objective is to download or load a stealthier or more effective malware onto infected systems. CERT-UA attributed the activity to a threat actor it calls UAC-0006 and characterized it as a financially motivated operation carried out with the goal of stealing credentials and making unauthorized fund transfers.

The second attack involves a new batch script-based wiper malware called RoarBAT that performs a recursive search for files with a specific list of extensions and irrevocably deletes them using the legitimate WinRAR utility. The attack, which targeted an unnamed state organization, was carried out by a group known as UAC-0165 and was characterized as a financially motivated operation carried out with the goal of stealing credentials and making unauthorized fund transfers. CERT-UA attributed UAC-0165 with moderate confidence to the notorious Sandworm group, which has a history of unleashing wiper attacks since the start of the Russo-Ukrainian war last year.

The alerts come a week after CERT-UA cautioned of phishing attacks carried out by the Russian state-sponsored group APT28 targeting government entities in the country with fake Window update notifications.

Source: The Hacker News

Source

Leave a Reply

Your email address will not be published. Required fields are marked *