{"id":163711,"date":"2024-05-26T16:45:36","date_gmt":"2024-05-26T16:45:36","guid":{"rendered":"https:\/\/securityaffairs.com\/?p=163711"},"modified":"2024-05-26T16:45:38","modified_gmt":"2024-05-26T16:45:38","slug":"cert-ua-warns-uac-0006-massive-campaigns","status":"publish","type":"post","link":"https:\/\/securityaffairs.com\/163711\/cyber-warfare-2\/cert-ua-warns-uac-0006-massive-campaigns.html","title":{"rendered":"CERT-UA warns of malware campaign conducted by threat actor UAC-0006"},"content":{"rendered":"
<\/div>\n

The Ukraine CERT-UA warns of a concerning increase in cyberattacks attributed to the financially-motivated threat actor UAC-0006.<\/h2>\n\n\n\n

The Computer Emergency Response Team of Ukraine (CERT-UA) warned of surge in in cyberattacks linked to the financially-motivated threat actor UAC-0006<\/a>.<\/p>\n\n\n\n

UAC-0006 has been active since at least 2013. The threat actors focus on compromising accountants\u2019 PCs (which are used to support financial activities, such as access to remote banking systems), stealing credentials, and making unauthorized fund transfers.<\/p>\n\n\n\n

The government experts reported that the group carried out at least two massive campaigns since May 20, threat actors aimed at distributing SmokeLoader<\/a> malware via email.<\/p>\n\n\n\n

SmokeLoader<\/a>\u00a0acts as a loader for other malware, once it is executed it will inject malicious code into the currently running explorer process (explorer.exe) and downloads another payload to the system.<\/gwmw><\/gwmw><\/p>\n\n\n\n

“Starting from May 20th, hackers have launched at least two massive campaigns with emails containing the SmokeLoader malware.” read the advisory<\/a> published by CERT-UA.<\/em><\/p>\n\n\n\n

The attackers sent out emails with ZIP archives containing an IMG files<\/strong> that serves as decoys for hidden EXE malware and ACCDB documents<\/strong>. The documents are weaponized Microsoft Access files, upon enabling the malicious macros they execute PowerShell commands to download and run EXE files.<\/p>\n\n\n\n

The researchers observed that following the initial infection, additional malware such as TALESHOT and RMS are downloaded onto the targeted PC.<\/p>\n\n\n\n

The UAC-0006 actor is using a botnet composed of several hundred infected machines.<\/gwmw><\/p>\n\n\n\n

“Currently, UAC-0006’s bot network consists of several hundred infected machines. CERT-UA believes that hackers may soon activate fraudulent schemes using remote banking systems.” continues the report.<\/p>\n\n\n\n

CERT-UA warned Ukrainian CEOs to enhance cybersecurity measures for accountants’ automated workplaces. IT shared indicators of compromise for this campaign and is urging to implement proper security policies and protection mechanisms.<\/p>\n\n\n\n

In May 2023, Ukraine\u2019s CERT-UA warned<\/strong><\/a> of another phishing campaign aimed at distributing the SmokeLoader malware in the form of a polyglot file.<\/gwmw><\/p>\n\n\n\n

UAC-0006 is the most active financially-motivated threat actor targeting Ukraine businesses, has already attempted to steal tens of million hryvnias through mass online theft campaigns in August-October 2023.<\/p>\n\n\n\n

CERT-UA\u00a0published an article<\/a>\u00a0that provides more details of the group’s TTPs.<\/p>\n\n\n\n

Follow me on Twitter: @securityaffairs<\/strong><\/a> and Facebook<\/strong><\/a> and Mastodon<\/a><\/p>\n\n\n\n

Pierluigi Paganini<\/strong><\/a><\/p>\n\n\n\n

(<\/strong>SecurityAffairs<\/strong><\/a>\u00a0\u2013<\/strong>\u00a0hacking,\u00a0Ukraine)<\/strong><\/gwmw><\/p>\n","protected":false},"excerpt":{"rendered":"

The Ukraine CERT-UA warns of a concerning increase in cyberattacks attributed to the financially-motivated threat actor UAC-0006. The Computer Emergency Response Team of Ukraine (CERT-UA) warned of surge in in cyberattacks linked to the financially-motivated threat actor UAC-0006. UAC-0006 has been active since at least 2013. The threat actors focus on compromising accountants\u2019 PCs (which […]<\/p>\n","protected":false},"author":1,"featured_media":114997,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[3323,183,5,7],"tags":[12724,4112,9508,9506,10918,30,687,841,1533],"class_list":["post-163711","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-breaking-news","category-cyber-warfare-2","category-hacking","category-malware","tag-cert-ua","tag-hacking","tag-hacking-news","tag-information-security-news","tag-it-information-security","tag-malware-2","tag-pierluigi-paganini","tag-security-affairs","tag-security-news"],"yoast_head":"\n杭州江阴科强工业胶带有限公司