Summary:
Financially motivated hackers have been actively using SmokeLoader malware in a series of sophisticated phishing campaigns, with a particular focus on targeting Ukrainian government and administration organizations. This ongoing campaign has been closely monitored and analyzed by the Ukrainian SSSCIP State Cyber Protection Center in collaboration with the Palo Alto Networks Unit 42 research team. The phishing campaign orchestrated by these hackers spans a period between May and November 2023, encompassing a total of 23 separate campaigns. These campaigns were characterized by their short but intense nature, involving recurrent waves of phishing emails specifically aimed at the financial departments of various sectors, including government agencies, defense institutions, telecommunications companies, retail businesses, and financial entities.

To increase the success rate of their phishing attempts, the attackers exploited previously compromised email addresses, thereby leveraging the trust associated with corporate accounts. The phishing emails were carefully crafted to appear legitimate, with subjects related to payment and billing matters. Additionally, the emails contained stolen financial documents obtained from previous data breaches, further enhancing their credibility.

Despite the sophisticated tactics employed by the hackers to mimic authenticity, the emails often contained subtle indicators such as spelling errors and a mix of Ukrainian and Russian language elements. Furthermore, the attackers utilized techniques like double file extensions to deceive recipients into opening seemingly harmless documents, which were, in reality, malicious payloads. Once a victim opened the malicious documents, the attackers leveraged legitimate Windows utilities for various malicious activities, including maintaining persistence on the compromised system, collecting sensitive information, and moving laterally within the network to expand their reach.

Security Officer Comments:
The SmokeLoader malware, which has been in circulation since 2011, serves as a versatile backdoor tool commonly used by cybercriminals to download and install additional malware on compromised devices. Over the years, SmokeLoader has evolved to incorporate advanced detection evasion techniques, such as sandbox detection, obfuscated code using opaque predicates, encrypted function blocks, anti-debugging measures, anti-hooking mechanisms, anti-VM techniques, and custom imports. The craftiness of SmokeLoader lies in its selective communication with C2 domains, with many of these domains intentionally remaining inaccessible.

Suggested Corrections:
A crucial element of defense against Smoke Loader is prioritizing security measures and cultivating smart online habits. Be extremely cautious when opening email attachments or clicking links, especially from unknown senders. Stick to trusted websites for downloads, and create strong, unique passwords for all online accounts. Stay informed on current cybersecurity threats. Such vigilance should significantly reduce the risk of falling victim to malware like Smoke Loader.

Link(s):
https://www.helpnetsecurity.com/2024/03/22/smokeloader-phishing/

https://unit42.paloaltonetworks.com/unit-42-scpc-ssscip-uncover-smoke-loader-phishing/