In the ever-evolving landscape of cyber threats, the UAC-0006 threat actor group has recently resurfaced with a new wave of attacks. This time, they’re deploying the SmokeLoader malware through a sophisticated phishing campaign, leveraging polyglot files to evade detection and increase their success rate. This article aims to provide an in-depth analysis of this threat, its implications, and the associated Indicators of Compromise (IOCs).
UAC-0006: A Threat Actor Profile
UAC-0006 is a financially motivated threat actor group known for its phishing campaigns. Their recent activities, as reported by CERT-UA and SOC Prime, have shown an increased use of financial subject lures in their phishing emails. The group uses ZIP or RAR archives containing malicious HTML or VHDX files to deliver SmokeLoader to targeted systems. Once extracted, the archive triggers JavaScript code, which downloads and launches an executable file, further spreading the infection.
The group’s tactics, techniques, and procedures (TTPs) have evolved over time, with recent attacks showing the use of multiple infection chains and an expanded toolset, including a malicious Cobalt Strike Beacon. This evolution in TTPs indicates a potential increase in the severity of risks posed by UAC-0006.
SmokeLoader Malware and Polyglot Files
SmokeLoader is a notorious bot application that can load other malware onto compromised systems. It has been active since at least 2011 and is known for its use of deception and self-protection. The malware is typically delivered via a polyglot file, a file that is valid in multiple formats. This allows the malware to disguise itself, appearing as a harmless file in one format while executing malicious code when interpreted in another format.
In the case of UAC-0006’s recent campaign, the group used ZIP or RAR archives containing malicious HTML or VHDX files as polyglot files. These files, when extracted, trigger JavaScript code that downloads and launches an executable file, spreading the SmokeLoader infection.
You can read our profle on SmokeLoader here.
MITRE ATT&CK TTPs
The TTPs associated with UAC-0006’s SmokeLoader campaign map to several entries in the MITRE ATT&CK framework:
- Application Layer Protocol: Web Protocols (T1071.001): SmokeLoader uses HTTP for C2.
- Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001): SmokeLoader adds a Registry Run key for persistence and adds a script in the Startup folder to deploy the payload.
- Command and Scripting Interpreter: Visual Basic (T1059.005): SmokeLoader adds a Visual Basic script in the Startup folder to deploy the payload.
- Credentials from Password Stores: Credentials from Web Browsers (T1555.003): SmokeLoader searches for credentials stored from web browsers.
- Deobfuscate/Decode Files or Information (T1140): SmokeLoader deobfuscates its code.
- Local Email Collection (T1114.001): SmokeLoader searches through Outlook files and directories.
- File and Directory Discovery (T1083): SmokeLoader recursively searches through directories for files.
- Ingress Tool Transfer (T1105): SmokeLoader downloads a new version of itself once it has installed. It also downloads additional plugins.
- Obfuscated Files or Information (T1027): SmokeLoader uses a simple one-byte XOR method to obfuscate values in the malware.
- Process Injection (T1055): SmokeLoader injects into the Internet Explorer process.
- Process Hollowing (T1055.012): SmokeLoader spawns a new copy of c:\windows\syswow64\explorer.exe and then replaces the executable code in memory with malware.
- Scheduled Task (T1053.005): SmokeLoader launches a scheduled task.
- Unsecured Credentials: Credentials In Files (T1552.001): SmokeLoader searches for files named logins.json to parse for credentials.
Indicators of Compromise (IOCs)
The IOCs associated with UAC-0006’s SmokeLoader campaign include phishing emails with financial subject lures, ZIP or RAR archives containing malicious HTML or VHDX files, and the SmokeLoader malware itself. Additionally, the use of a malicious Cobalt Strike Beacon during the intrusions is a significant IOC.
Summary
The UAC-0006 group’s recent activities underscore the evolving nature of cyber threats. Their use of polyglot files to deliver SmokeLoader malware demonstrates a sophisticated approach to evading detection and underscores the need for robust, multi-layered cyber defence strategies.
Further Reading
- SmokeLoader Malware Detection: UAC-0006 Group Reemerges to Launch Phishing Attacks Against Ukraine Using Financial Subject Lures – SOC Prime
- Detect SmokeLoader Malware: UAC-0006 Strikes Again to Target Ukraine in a Series of Phishing Attacks – SOC Prime
- Smoke Loader, Software S0226 | MITRE ATT&CKĀ®