therecord.media
Open in
urlscan Pro
2606:4700:4400::6812:2a1e
Public Scan
URL:
https://therecord.media/smokeloader-malware-russia-ukraine-financial-institutions
Submission: On December 11 via manual from US — Scanned from US
Submission: On December 11 via manual from US — Scanned from US
Form analysis 1 forms found in the DOM
<form data-hs-cf-bound="true"><span class="text-black text-sm icon-search"></span><input name="s" placeholder="Search…" type="text" value=""><button type="submit">Go</button></form>Text Content
This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy. Accept * Leadership * Cybercrime * Nation-state * Elections * Technology * Cyber Daily® * Click Here Podcast Go Subscribe to The Record ✉️ Free Newsletter Daryna Antoniuk March 20th, 2024 * Cybercrime * News * Malware * * * * * * Get more insights with the Recorded Future Intelligence Cloud. Learn more. RUSSIA-LINKED HACKERS USE SMOKELOADER MALWARE TO STEAL FUNDS FROM UKRAINIAN ENTERPRISES Smokeloader malware used by Russia-linked cybercriminals remains one of the major tools for financial hacks in Ukraine, according to a recent report. Between May and November 2023, researchers identified 23 Smokeloader campaigns aimed at various targets in Ukraine, including financial institutions and government organizations. The hackers were most active in August and October, launching 198 and 174 phishing incidents respectively, according to a report published Tuesday by Ukraine’s major state cyber agency — SSSCIP — in collaboration with cybersecurity firm Palo Alto Networks. Ukraine’s computer emergency response team, CERT-UA, tracks the group behind Smokeloader as UAC-0006. The group uses the malicious tool to download other malware in attempts to steal funds from Ukrainian enterprises. According to CERT-UA, the group behind the malware attempted to steal tens of millions of hryvnias ($1 = about 40 Ukrainian hryvnias) from August to September 2023. The hackers primarily distributed the malware through phishing campaigns, often using previously compromised email addresses. This tactic allowed them “to exploit trusted corporate email accounts to heighten the chances of tricking the target into falling for the phishing attempts,” according to researchers. Some of the email subjects and file names contained spelling mistakes or were composed of a mix of Ukrainian and Russian words. In their recent campaign in October, the hackers used Smokeloader to attack state, private, and financial institutions, with a particular focus on accounting departments. The hackers concealed Smokeloader under layers of seemingly harmless financial documents. Most of these files were legitimate and were stolen from organizations that had been previously compromised. Smokeloader uses various evasion strategies to slip through security measures undetected. After finally gaining access to the system, it can extract crucial device information, including operating system details and location data. Researchers said that although Ukraine has seen a rise in Smokeloader attacks, this malware “remains a global threat and continues to be seen in multiple campaigns targeting other countries.” Threat actors have been advertising Smokeloader on underground forums since 2011. The researchers did not attribute this malware to a specific hacker group, but they suggest potential connections to Russian cybercriminal operations. Over the years, Smokeloader has been updated and evolved to keep pace with techniques to avoid detection by security vendors. Since the malware first appeared, various groups have used it against different industries and organizations across the globe. These activities range from recent targeted cyberattacks in Ukraine to criminal activity resulting in Phobos ransomware infections, researchers said. Phobos is a ransomware-as-a-service strain that allows cybercriminals to gain access to login credentials through phishing campaigns or brute force attacks, in which attackers attempt to access a targeted account by trying different combinations of usernames and passwords until they find the correct one. In February, hackers used a Phobos variant to target an IT platform serving hospitals in Romania. As a result of the attack, data from nearly 25 hospitals was encrypted, and approximately 75 hospitals were disconnected from the internet. * * * * * * Tags * Smokeloader * Russia * Ukraine * Finance * malware * Phobos Previous articleNext article Ukrainian police detain cybercriminals trying to sell millions of stolen email and Instagram accounts International freight tech firm isolates Canada operations after cyberattack Daryna Antoniuk is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post. BRIEFS * French internet operator fined $53 million for unsolicited ads and tracking users without consentDecember 10th, 2024 * Wyden seeks stricter telecom cyber standards following Salt Typhoon breachDecember 10th, 2024 * Homeland Security veteran to be interviewed for Trump administration cyber roleDecember 9th, 2024 * Medical device company says shipping processes disrupted by ransomware attackDecember 9th, 2024 * Key electricity distributor in Romania warns of ‘cyber attack in progress’December 9th, 2024 * Cooperate with Salt Typhoon probe, House chairman tells telecomsDecember 6th, 2024 * Pirated corporate software infects Russian businesses with info-stealing malwareDecember 6th, 2024 * US org with ‘significant presence in China’ targeted by hackers, Symantec saysDecember 5th, 2024 * Report: Russian authorities seized phone from detainee, infected it with spywareDecember 5th, 2024 BREAKING THE CIRCLE: CHINESE COMMUNIST PARTY PROPAGANDA INFRASTRUCTURE RAPIDLY EXPANDS Breaking the Circle: Chinese Communist Party Propaganda Infrastructure Rapidly Expands BLUEALPHA ABUSES CLOUDFLARE TUNNELING SERVICE FOR GAMMADROP STAGING INFRASTRUCTURE BlueAlpha Abuses Cloudflare Tunneling Service for GammaDrop Staging Infrastructure SCAM WEBSITES TAKE ADVANTAGE OF SEASONAL OPENINGS AND ESTABLISHED METHODS TO MAXIMIZE IMPACT Scam Websites Take Advantage of Seasonal Openings and Established Methods to Maximize Impact "OPERATION UNDERCUT" SHOWS MULTIFACETED NATURE OF SDA’S INFLUENCE OPERATIONS "Operation Undercut" Shows Multifaceted Nature of SDA’s Influence Operations RUSSIA-ALIGNED TAG-110 TARGETS ASIA AND EUROPE WITH HATVIBE AND CHERRYSPY Russia-Aligned TAG-110 Targets Asia and Europe with HATVIBE and CHERRYSPY * * * * * * * Privacy * About * Contact Us © Copyright 2024 | The Record from Recorded Future News