CERT-UA Warns of SmokeLoader and RoarBAT Malware Attacks Against Ukraine
An ongoing phishing campaign with invoice-themed lures is being used to distribute SmokeLoader malware in the form of polyglot files, according to the Ukraine Computer Emergency Response Team (CERT-UA).
E-mail, according agentsent using a compromised account and comes with a ZIP archive which is, in fact, a polyglot file containing a decoy document and JavaScript files.
The JavaScript code is then used to launch the executable that opens the SmokeLoader malware executable. SmokeLoader, first detected in 2011, is a loader whose main purpose is to download or load more stealthy or more effective malware onto an infected system.
CERT-UA linked the activity to a threat actor it called UAC-0006 and characterized it as a financially motivated operation carried out with the aim of stealing credentials and carrying out unauthorized transfers of funds.
In a related advisory, the Ukrainian cybersecurity authority also disclosed details of a destructive attack orchestrated by a group known as UAC-0165 against public sector organizations.
The attack, which targeted an unnamed state organization, entailed using a new batch script-based removal malware called RoarBAT that performs a recursive search for files with a specific list of extensions and permanently deletes them using the legitimate WinRAR utility.
This, in turn, is achieved by archiving the files identified using command line option “-df”. and then clean up the created archive. Batch scripts are executed via scheduled tasks.
Simultaneously, Linux systems were compromised using bash scripts that took advantage of dd utility to overwrite the file with zero bytes, effectively avoiding detection by security software.
“It was found that the operation of electronic computers (server equipment, automated user workplaces, data storage systems) was impaired as a result of the destructive impact exerted by use of the appropriate software,” CERT-UA said.
“Access to the ICS of the target of the attack was allegedly obtained by connecting to the VPN using compromised authentication data. The successful implementation of the attack was facilitated by the lack of multi-factor authentication when connecting remotely to the VPN.”
Learn How to Stop Ransomware with Real-Time Protection
Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.
The agency further linked UAC-0165 with moderate confidence to the infamous Sandworm group (aka FROZENBARENTS, Seashell Blizzard, or Voodoo Bear), which has a history of unleashing wiper attacks since the start of the Russo-Ukrainian war last year.
The link to Sandworm stems from significant overlap with another destructive attack that hit Ukraine’s state news agency Ukrinform in January 2023, which linked to a collective enemy.
The warning comes a week after CERT-UA warned of a phishing attack by the Russian state-sponsored APT28 group that targeted government entities in the country with bogus Windows update notifications.
