Ukraine cyber officials warn of a 'surge' in Smokeloader attacks on financial, government entities

Suspected Russian cybercriminals have increased their attacks against Ukrainian financial and government organizations using Smokeloader malware, according to Ukrainian cybersecurity officials. Since May of this year, the malware operators have targeted Ukrainian organizations with intense phishing attacks, primarily attempting to infiltrate their systems and steal sensitive information, according to research published Tuesday by Ukraine's National Cyber Security Coordination Center. Smokeloader is a highly complex malware primarily functioning as a loader, which downloads stealthier or more effective malicious software into the system. Because of its modular design, Smokeloader can perform a wide range of functions, including stealing credentials, executing distributed denial-of-service attacks, and intercepting keystrokes. The researchers did not attribute this campaign to a specific hacker group, but they noted that the prevalence of Russian domain registrars suggests potential connections to Russian cybercriminal operations. Back in May, Ukraine's Computer Emergency Response Team linked the Smokeloader activity to a threat actor they identified as UAC-0006. CERT-UA described it as a financially motivated operation aiming to steal credentials and execute unauthorized fund transfers. "The researchers from the NCSCC said that the attacks on Ukrainian organizations by both financially motivated cybercriminals and state-sponsored hackers indicate that the threat landscape in Ukraine 'has evolved into a multifaceted arena." In their recent campaign, the hackers used Smokeloader to attack state, private, and financial institutions, with a particular focus on accounting departments, the NCSCC told Recorded Future News. The hackers used "Meticulously crafted" financially-themed emails to trick victims into downloading malicious attachments. Financial themes created a sense of urgency and relevance for recipients, researchers said. The hackers concealed Smokeloader under layers of seemingly harmless financial documents. Smokeloader uses various evasion strategies to slip through security measures undetected. After finally gaining access to the system, it can extract crucial device information, including operating system details and location data. In recent attacks, attackers also compromised money transfer processes, redirecting funds to their own accounts by replacing legitimate account details. Such cases highlight cybercriminals' evolving tactics, which now include manipulating financial processes to divert and steal resources, the researchers said. Neuberger: New global initiatives will include information sharing, ransomware payment tracking. Daryna Antoniuk is a freelance reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine.

This Cyber News was published on therecord.media. Publication date: Thu, 30 Nov 2023 23:19:27 +0000


Cyber News related to Ukraine cyber officials warn of a 'surge' in Smokeloader attacks on financial, government entities