Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

CERT-UA warns of malware campaign conducted by threat actor UAC-0006

The Ukraine CERT-UA warns of a concerning increase in cyberattacks attributed to the financially-motivated threat actor UAC-0006. The Computer Emergency Response Team of Ukraine (CERT-UA) warned of surge in in cyberattacks linked to the financially-motivated threat actor UAC-0006. UAC-0006 has been active since at least 2013. The threat actors focus on compromising accountants’ PCs (which […]

Ukraine CERT-UA backdoor SSU PathWiper wiper

The Ukraine CERT-UA warns of a concerning increase in cyberattacks attributed to the financially-motivated threat actor UAC-0006.

The Computer Emergency Response Team of Ukraine (CERT-UA) warned of surge in in cyberattacks linked to the financially-motivated threat actor UAC-0006.

UAC-0006 has been active since at least 2013. The threat actors focus on compromising accountants’ PCs (which are used to support financial activities, such as access to remote banking systems), stealing credentials, and making unauthorized fund transfers.

The government experts reported that the group carried out at least two massive campaigns since May 20, threat actors aimed at distributing SmokeLoader malware via email.

SmokeLoader acts as a loader for other malware, once it is executed it will inject malicious code into the currently running explorer process (explorer.exe) and downloads another payload to the system.

“Starting from May 20th, hackers have launched at least two massive campaigns with emails containing the SmokeLoader malware.” read the advisory published by CERT-UA.

The attackers sent out emails with ZIP archives containing an IMG files that serves as decoys for hidden EXE malware and ACCDB documents. The documents are weaponized Microsoft Access files, upon enabling the malicious macros they execute PowerShell commands to download and run EXE files.

The researchers observed that following the initial infection, additional malware such as TALESHOT and RMS are downloaded onto the targeted PC.

The UAC-0006 actor is using a botnet composed of several hundred infected machines.

“Currently, UAC-0006’s bot network consists of several hundred infected machines. CERT-UA believes that hackers may soon activate fraudulent schemes using remote banking systems.” continues the report.

CERT-UA warned Ukrainian CEOs to enhance cybersecurity measures for accountants’ automated workplaces. IT shared indicators of compromise for this campaign and is urging to implement proper security policies and protection mechanisms.

In May 2023, Ukraine’s CERT-UA warned of another phishing campaign aimed at distributing the SmokeLoader malware in the form of a polyglot file.

UAC-0006 is the most active financially-motivated threat actor targeting Ukraine businesses, has already attempted to steal tens of million hryvnias through mass online theft campaigns in August-October 2023.

CERT-UA published an article that provides more details of the group’s TTPs.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Ukraine)