In the ever-evolving landscape of cyber threats, the UAC-0006 threat actor group has recently resurfaced with a new wave of attacks. This time, they’re deploying the SmokeLoader malware through a sophisticated phishing campaign, leveraging polyglot files to evade detection and increase their success rate. This article aims to provide an in-depth analysis of this threat, its implications, and the associated Indicators of Compromise (IOCs).
UAC-0006: A Threat Actor Profile
The group’s tactics, techniques, and procedures (TTPs) have evolved over time, with recent attacks showing the use of multiple infection chains and an expanded toolset, including a malicious Cobalt Strike Beacon. This evolution in TTPs indicates a potential increase in the severity of risks posed by UAC-0006.
SmokeLoader Malware and Polyglot Files
SmokeLoader is a notorious bot application that can load other malware onto compromised systems. It has been active since at least 2011 and is known for its use of deception and self-protection. The malware is typically delivered via a polyglot file, a file that is valid in multiple formats. This allows the malware to disguise itself, appearing as a harmless file in one format while executing malicious code when interpreted in another format.
You can read our profle on SmokeLoader here.
MITRE ATT&CK TTPs
The TTPs associated with UAC-0006’s SmokeLoader campaign map to several entries in the MITRE ATT&CK framework:
- Application Layer Protocol: Web Protocols (T1071.001): SmokeLoader uses HTTP for C2.
- Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001): SmokeLoader adds a Registry Run key for persistence and adds a script in the Startup folder to deploy the payload.
- Command and Scripting Interpreter: Visual Basic (T1059.005): SmokeLoader adds a Visual Basic script in the Startup folder to deploy the payload.
- Credentials from Password Stores: Credentials from Web Browsers (T1555.003): SmokeLoader searches for credentials stored from web browsers.
- Deobfuscate/Decode Files or Information (T1140): SmokeLoader deobfuscates its code.
- Local Email Collection (T1114.001): SmokeLoader searches through Outlook files and directories.
- File and Directory Discovery (T1083): SmokeLoader recursively searches through directories for files.
- Ingress Tool Transfer (T1105): SmokeLoader downloads a new version of itself once it has installed. It also downloads additional plugins.
- Obfuscated Files or Information (T1027): SmokeLoader uses a simple one-byte XOR method to obfuscate values in the malware.
- Process Injection (T1055): SmokeLoader injects into the Internet Explorer process.
- Process Hollowing (T1055.012): SmokeLoader spawns a new copy of c:\windows\syswow64\explorer.exe and then replaces the executable code in memory with malware.
- Scheduled Task (T1053.005): SmokeLoader launches a scheduled task.
- Unsecured Credentials: Credentials In Files (T1552.001): SmokeLoader searches for files named logins.json to parse for credentials.
Indicators of Compromise (IOCs)
The IOCs associated with UAC-0006’s SmokeLoader campaign include phishing emails with financial subject lures, ZIP or RAR archives containing malicious HTML or VHDX files, and the SmokeLoader malware itself. Additionally, the use of a malicious Cobalt Strike Beacon during the intrusions is a significant IOC.
The UAC-0006 group’s recent activities underscore the evolving nature of cyber threats. Their use of polyglot files to deliver SmokeLoader malware demonstrates a sophisticated approach to evading detection and underscores the need for robust, multi-layered cyber defence strategies.
- SmokeLoader Malware Detection: UAC-0006 Group Reemerges to Launch Phishing Attacks Against Ukraine Using Financial Subject Lures – SOC Prime
- Detect SmokeLoader Malware: UAC-0006 Strikes Again to Target Ukraine in a Series of Phishing Attacks – SOC Prime
- Smoke Loader, Software S0226 | MITRE ATT&CK®