In a recent development, the Computer Emergency Response Team of Ukraine (CERT-UA) uncovered a new cyber attack campaign labeled UAC-0006. This campaign involves the distribution of the SmokeLoader malware, leveraging compromised email accounts and employing various delivery methods.
The attack not only exhibits changes in tactics, techniques, and procedures (TTPs), but also reveals a potential expansion of the attacker’s toolkit.
This article aims to delve deeper into the UAC-0006 cyber attack, analyze the implications of its techniques, and shed light on the significance of this evolving threat.
SmokeLoader malware distribution methods
CERT-UA’s investigation revealed that the cybercriminals behind UAC-0006 utilize legitimate compromised mailboxes to propagate the SmokeLoader malware.
The malware is delivered through a series of complex steps involving email attachments and compressed files. Specifically, the following delivery chains have been observed:
- EML -> ZIP -> HTML (JavaScript) -> ZIP -> JavaScript (Loader) -> EXE -> SmokeLoader
- EML -> RAR -> VHDX -> JavaScript (Loader) -> EXE -> SmokeLoader
- EML -> RAR -> VHD -> JavaScript (Loader) -> EXE -> SmokeLoader
Notably, during the examination of the VHDX files, a Cobalt Strike Beacon malware file named “Declaration fraudulent operation SIRION.scr” was discovered. The finding suggests that the UAC-0006 attackers may be expanding their arsenal and incorporating additional tools.
SmokeLoader malware: The changes in tactics, techniques, and procedures
The UAC-0006 campaign exhibits several notable changes in its tactics compared to previous iterations.
Firstly, the attackers have diversified their delivery chains, potentially to increase their chances of successful infiltration. By employing multiple methods, the cybercriminals attempt to exploit different vulnerabilities and evade detection.
Additionally, the distributed SmokeLoader malware samples discovered during the investigation contain 26 botnet management server URLs, with a majority of them being unregistered domains.
This indicates that the attackers are adopting a decentralized approach to manage their botnet infrastructure, making it more challenging to disrupt their operations.
The presence of the Cobalt Strike Beacon malware alongside SmokeLoader raises concerns about the expanding toolkit of the UAC-0006 group.
Cobalt Strike is a sophisticated tool favored by advanced persistent threat (APT) actors due to its powerful capabilities.
The inclusion of this malware suggests that the UAC-0006 group may have access to advanced attack tools, enhancing their potential for more sophisticated operations.
Exploiting Russian domain registrars and providers
In their pursuit of carrying out their malicious activities, the UAC-0006 attackers utilize Russian domain name registrars and service providers, including @reg.ru, @nic.ru, @iqhost.ru, @macloud.ru, and @cloudx.ru.
This choice of infrastructure partners enables the cybercriminals to further their malevolent agenda while adding an extra layer of complexity to their operations.
The use of foreign domain registrars and providers poses challenges for tracking and taking down malicious infrastructure, requiring international collaboration among cybersecurity entities to effectively combat this threat.
Mitigation recommendations
Given the threat posed by UAC-0006 and the delivery method utilized, it is crucial to take proactive measures to minimize the attack surface.
CERT-UA advises limiting the usage of Windows Script Host (wscript.exe, cscript.exe) to execute JavaScript loaders, which are instrumental in delivering and launching SmokeLoader.
By restricting the usage of this technology on computers, organizations can reduce the risk of falling victim to UAC-0006 and similar malware campaigns.
The UAC-0006 cyber attack campaign, centered around the distribution of the SmokeLoader malware, represents an evolving and concerning threat.
With the implementation of multiple delivery chains and the inclusion of the Cobalt Strike Beacon malware, the attackers have demonstrated adaptability and access to advanced tools.
By leveraging compromised email accounts and exploiting Russian domain registrars and providers, the UAC-0006 group poses a significant challenge to cybersecurity professionals and organizations alike.
Vigilance, collaboration, and the adoption of mitigation strategies are essential in mitigating the risks associated with this evolving threat landscape.