Summary:
Ukraine’s Computer Emergency Response Team (CERT-UA) is warning of an increase in cyberattacks associated with UAC-0006, a financially-motived threat actor that has been active since 2013. Since May 20 this actor has launched two massive email campaigns to distribute SmokeLoader, a malware that acts as a loader for other payloads. The emails sent by UAC-0006 include malicious ZIP archives that contain IMG files which act as decoys for EXE malware as well as ACCDB (Microsoft Access) documents that upon enabling macros can be used to execute PowerShell commands designed to download and run other executable files. CERT-UA notes that once initial infection is successful, additional malware like TALESHOT and RMS are downloaded onto the targeted PC.

Security Officer Comments:
Infected systems are being incorporated into UAC-0006's botnet, which can be utilized for various malicious activities. According to CERT-UA, UAC-0006's botnet comprises several hundred infected machines, and it is anticipated that the hackers may soon initiate fraudulent schemes involving remote banking systems. Between August and October 2023, UAC-0006 attempted to steal tens of millions of hryvnias through mass online theft campaigns. The latest campaign shares the same motives, with the perpetrators targeting high-value financial systems to launder money.

Suggested Corrections:
CERT-UA urged Ukrainian CEOs to take immediate steps to improve the cybersecurity of accountants' automated workplaces. This includes checking for indicators of compromise, as well as ensuring proper security policies and protection mechanisms are implemented.

Link(s):
https://securityaffairs.com/163711/cyber-warfare-2/cert-ua-warns-uac-0006-massive-campaigns.html