GetSmoked: UAC-0006 Returns With SmokeLoader Targeting Ukraine's Largest State-Owned Bank

UAC-0006 is conducting sophisticated phishing campaigns targeting PrivatBank customers in Ukraine. By utilizing password-protected files containing malicious scripts, they manage to bypass security measures effectively. The campaign shows signs of technological overlap with the tactics used by the Russian APT group FIN7, indicating possible collaborative or inspired threat activities. Affected: PrivatBank, Financial Sector, Ukrainian Banking Customers

Keypoints :

Ongoing phishing campaigns by UAC-0006 targeting PrivatBank customers since November 2024.
Malicious scripts including JavaScript, VBScript, and LNK files are used in password-protected archives.
SmokeLoader malware is deployed via process injection and PowerShell commands.
Brand reputation at risk for companies impersonated in phishing lures.
Potential for credential harvesting and espionage affecting sensitive sectors.

MITRE Techniques :

Initial Access: T1566.001 – Spear-phishing Attachment: Malicious archive containing scripts sent via email.
Initial Access: T1547.001 – Shortcut Modification: Use of LNK files in phishing lures.
Defense Evasion: T1027.002 – Software Packing: Use of password-protected archives.
Defense Evasion: T1027 – Obfuscated Files or Information: Utilization of encoded PowerShell commands.
Execution: T1204.002 – User Execution: Malicious File: Requires user interaction to execute the attachment.
Execution: T1059.007 – JavaScript: Executes malware via JavaScript.
Execution: T1059.005 – Visual Basic: Executes VBScripts.
Execution: T1059.001 – PowerShell: Encoded commands executed via PowerShell.
Execution: T1218.005 – Mshta: Uses mshta.exe for file retrieval and execution.
Privilege Escalation: T1055 – Process Injection: JavaScript injects into wscript.exe.
Command and Control: T1105 – Ingress Tool Transfer: Downloads SmokeLoader from C2 server.
Command and Control: T1571 – Non-Standard Port: SmokeLoader communicates over non-standard ports.
Defense Evasion: T1036 – Masquerading: Legitimate PDF files are utilized to mask malicious activities.

Indicator of Compromise :

URL: http://89.23.107[.]219/privat.exe
URL: http://3-zak-media[.]de/temp/paxynok_privatbank_06_01_2025p.zip
URL: http://89.23.107[.]219/invoce.pdf
SHA256: 5a0b48ccc1a353c4ace5e9626f17622611432a016577797d4c891ca945ffa7f8
Email Attachment: Privatbank_invoce_payment_20_12_2024.zip

Full Story: https://www.cloudsek.com/blog/getsmoked-uac-0006-returns-with-smokeloader-targeting-ukraines-largest-state-owned-bank

GetSmoked: UAC-0006 Returns With SmokeLoader Targeting Ukraine’s Largest State-Owned Bank