The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of an ongoing phishing campaign that uses invoice-themed lures to distribute SmokeLoader malware through polyglot files.
Hackers use compromised accounts to send emails with a ZIP archive that contains a decoy document and a JavaScript file (a polyglot file). The JavaScript code then launches an executable that installs the SmokeLoader malware. It’s the same malware used since 2011 to download or load more dangerous malware onto infected systems.
Tracing the activity led to a financially motivated threat actor called UAC-0006 by CERT-UA.
Ukraine’s cybersecurity authority revealed intriguing details about the possibility of destructive attacks against public sector organizations orchestrated by a group known as UAC-0165. Deeper dive into the exposed information by the authority showed the attack exhibits some similarity to UAC-0006.
The group targeted an unnamed state organization with a batch script-based wiper malware called RoarBAT that deleted files with specific extensions using the legitimate WinRAR utility.
A scheduled task system aided the execution of the batch script, and Linux systems were compromised using a bash script that leveraged the dd utility to overwrite files with zero bytes. As a result, electronic computers’ operability got impaired, including server equipment, automated user workplaces, and data storage systems. The attack was allegedly facilitated by the lack of multi-factor authentication when making remote connections to VPN.
CERT-UA has attributed UAC-0165 with moderate confidence to the Sandworm group, which has a history of unleashing wiper attacks since the start of the Russo-Ukrainian war in 2014. The link to Sandworm comes from significant overlaps with another destructive attack that hit the Ukrainian state’s news agency Ukrinform in January 2023, associated with the adversarial collective. These alerts come a week after CERT-UA warned of phishing attacks by APT28, a Russian state-sponsored group that targeted government entities in the country with fake Windows update notifications.