Russia-linked hackers use Smokeloader malware to steal funds from Ukrainian enterprises

Smokeloader malware used by Russia-linked cybercriminals remains one of the major tools for financial hacks in Ukraine, according to a recent report.

Between May and November 2023, researchers identified 23 Smokeloader campaigns aimed at various targets in Ukraine, including financial institutions and government organizations. The hackers were most active in August and October, launching 198 and 174 phishing incidents respectively, according to a report published Tuesday by Ukraine’s major state cyber agency — SSSCIP — in collaboration with cybersecurity firm Palo Alto Networks.

Ukraine’s computer emergency response team, CERT-UA, tracks the group behind Smokeloader as UAC-0006. The group uses the malicious tool to download other malware in attempts to steal funds from Ukrainian enterprises.

According to CERT-UA, the group behind the malware attempted to steal tens of millions of hryvnias ($1 = about 40 Ukrainian hryvnias) from August to September 2023.

The hackers primarily distributed the malware through phishing campaigns, often using previously compromised email addresses. This tactic allowed them “to exploit trusted corporate email accounts to heighten the chances of tricking the target into falling for the phishing attempts,” according to researchers.

Some of the email subjects and file names contained spelling mistakes or were composed of a mix of Ukrainian and Russian words.

In their recent campaign in October, the hackers used Smokeloader to attack state, private, and financial institutions, with a particular focus on accounting departments.

The hackers concealed Smokeloader under layers of seemingly harmless financial documents. Most of these files were legitimate and were stolen from organizations that had been previously compromised.

Smokeloader uses various evasion strategies to slip through security measures undetected. After finally gaining access to the system, it can extract crucial device information, including operating system details and location data.

Researchers said that although Ukraine has seen a rise in Smokeloader attacks, this malware “remains a global threat and continues to be seen in multiple campaigns targeting other countries.”

Threat actors have been advertising Smokeloader on underground forums since 2011. The researchers did not attribute this malware to a specific hacker group, but they suggest potential connections to Russian cybercriminal operations. 

Over the years, Smokeloader has been updated and evolved to keep pace with techniques to avoid detection by security vendors.

Since the malware first appeared, various groups have used it against different industries and organizations across the globe. These activities range from recent targeted cyberattacks in Ukraine to criminal activity resulting in Phobos ransomware infections, researchers said.

Phobos is a ransomware-as-a-service strain that allows cybercriminals to gain access to login credentials through phishing campaigns or brute force attacks, in which attackers attempt to access a targeted account by trying different combinations of usernames and passwords until they find the correct one.

In February, hackers used a Phobos variant to target an IT platform serving hospitals in Romania. As a result of the attack, data from nearly 25 hospitals was encrypted, and approximately 75 hospitals were disconnected from the internet.