The Computer Emergency Response Team (CERT-UA) reported that a hacker group known as UAC-0006 is responsible for distributing emails through compromised accounts. The emails contain a ZIP archive that, when downloaded, launches an executable that installs the SmokeLoader malware.

What is known about the new threat

This cyberattack campaign started in April 2023 and is for financial purposes. The UAC-0006 group has a history of financial cyberattacks performed between 2013 and July 2021. Hackers aim to hijack accountants’ computers that are used to support financial activities such as accessing remote banking systems.

They steal authentication data after gaining access:

• entries,
• passwords,
• keys/certificates.

They then make unauthorized payments using the HVNC bot directly from the compromised computer.

How to protect against such attacks?

To minimize damage from these attacks, it is recommended that you temporarily block wscript.exe (Windows Script Host) from running on your computer. This is because the UAC-0006 group often uses JavaScript loaders. Temporarily blocking wscript.exe from running reduces the chances of falling victim to this type of attack.

Using fake emails with fake invoices and payment requests is a relatively new tactic for this group and they are likely to continue to refine their tactics to avoid detection. Individuals and legal entities must be vigilant and take precautions against such attacks.