A phishing campaign targeting customers of PrivatBank, Ukraine’s largest state-owned financial institution, has been uncovered by cybersecurity analysts from CloudSEK. The financially motivated threat group UAC-0006 is behind this latest attack, utilizing password-protected archives containing malicious JavaScript, VBScript, or LNK files to avoid detection.
Since November 2024, UAC-0006 has been using payment-themed phishing lures to trick users into clicking on malicious email attachments disguised as invoices. These attachments contain JavaScript and VBScript files that execute PowerShell commands, as well as SmokeLoader malware for command-and-control communication. These tactics allow the threat actors to gain unauthorized access, execute payloads, and maintain control over compromised systems.
In the most recent attack, the phishing email includes a password-protected ZIP or RAR file. When the file is opened, the extracted JavaScript or VBScript file triggers a series of processes that inject malicious code into legitimate Windows binaries.
Recent forensic analysis has revealed that UAC-0006 has incorporated LNK files as a new attack vector, similar to techniques previously attributed to the Russian APT group FIN7. This tactical evolution suggests a connection with EmpireMonkey and Carbanak, both infamous for financial cybercrime. The group’s use of PowerShell, process injection, and non-standard command-and-control communication aligns with their established modus operandi.
Phishing campaigns like this present numerous risks, including data compromise, credential theft, and financial fraud. Stolen information can be exploited or sold on the dark web, while unauthorized access to banking and corporate accounts can lead to further security breaches. Moreover, entities impersonated in phishing emails, such as PrivatBank, may suffer reputational damage, increasing downstream risks within the supply chain.
To combat these threats, cybersecurity experts recommend blocking malicious indicators associated with UAC-0006, providing security awareness training to employees to identify phishing attempts, and establishing incident response protocols to detect and mitigate attacks promptly.
The ongoing evolution of UAC-0006 highlights the increasing sophistication of financially motivated cybercrime groups. It underscores the importance of remaining vigilant, implementing proactive defense strategies, and raising user awareness to effectively counter these threats.