The State Cyber Protection Centre of the State Service of Special Communications and Information Protection of Ukraine (SCPC SSSCIP) together with Palo Alto Network’s Unit 42 released a report highlighting Smoke Loader malware attacks targeting Ukraine's financial and governmental sectors. The research, spanning from May to November 2023, sheds light on the tactics and techniques employed by threat actors designated as UAC-0006 by CERT-UA.

The report analyzes 23 waves of Smoke Loader attacks against Ukrainian entities observed from May 10 to November 23, 2023.

Smoke Loader, aka Dofoil or Sharik, is a backdoor designed for Microsoft Windows systems. It is primarily utilized as a loader, with additional capabilities for stealing information. Originating from Russian cybercrime operations, Smoke Loader has been available for sale on underground forums since 2011.

Ukraine, amidst its ongoing conflict, faces an unprecedented onslaught of cyberattacks from various global threat actors, ranging from nation-states to cybercriminal syndicates. The SCPC SSSCIP's report identifies Smoke Loader as a prevalent tool in recent attacks, particularly discernible in phishing campaigns aimed at infiltrating critical systems and extracting sensitive data.

Key findings from the report are listed below:

Phishing Campaigns: These attacks exhibit a short but intense nature, often lasting only a day but targeting a wide array of organizations. Spearphishing emails, exploiting human psychology and trust, serve as the primary vector for disseminating Smoke Loader. Attackers leverage previously compromised email addresses to enhance credibility and increase the likelihood of successful infiltration.

Subject Specificity: All email subjects center around payment and billing, designed to appear legitimate and relevant to recipients. Despite attempts at authenticity, the presence of spelling errors and a lack of professional translation into Ukrainian hint at the malware's Russian origins.

File Deception: Attackers employ misleading double file extensions and polyglot files to deceive users and evade traditional antivirus solutions. By exploiting default Windows utilities like wscript.exe, powershell.exe, and cmd.exe, adversaries can maintain persistence within systems and move laterally across networks, causing significant damage.

C2 Communications: Smoke Loader samples utilize unencrypted HTTP URIs for communication with Command and Control (C2) servers. The use of inactive domains within the configurations serves as decoys, complicating detection and tracking efforts.

“Taking into account the periodicity of the analysed attacks with the usage of SmokeLoader over the past 7 months, it can be concluded that at this point it is unlikely that similar phishing campaigns will be organised with a frequency less than at least twice a month,” the report notes. “Considering this is important for taking precautionary measures not only to better detect and block SmokeLoader attack attempts, but also to ensure that the IT infrastructure will stay resilient against similar threats in the future.”