unit42.paloaltonetworks.com
Open in
urlscan Pro
92.123.151.6
Public Scan
URL:
https://unit42.paloaltonetworks.com/unit-42-scpc-ssscip-uncover-smoke-loader-phishing/
Submission: On March 20 via api from TR — Scanned from DE
Submission: On March 20 via api from TR — Scanned from DE
Form analysis 2 forms found in the DOM
Name: Unit42_Subscribe — POST https://www.paloaltonetworks.com/apps/pan/public/formsubmithandler.submitform.json
<form action="https://www.paloaltonetworks.com/apps/pan/public/formsubmithandler.submitform.json" method="post" novalidate="" class="subscribe-form py-25" name="Unit42_Subscribe">
<input type="hidden" name="emailFormMask" value="">
<input type="hidden" value="1086" name="formid">
<!-- <input type="hidden" value="818-CZC-273" name="munchkinId"> -->
<input type="hidden" value="531-OCS-018" name="munchkinId">
<input type="hidden" value="2141" name="lpId">
<input type="hidden" value="1203" name="programId">
<input type="hidden" value="1086" name="formVid">
<input type="hidden" name="mkto_optinunit42" value="true">
<input type="hidden" name="mkto_opt-in" value="true">
<div class="row">
<div class="col-sm col-12 mb-sm-0 mb-15">
<input type="email" name="Email" placeholder="Email address" class="subscribe-field d-block w-100 px-sm-25 px-15 bg-white" aria-label="Email">
<p class="error-mail d-none mt-15 text-danger" style="color: #dc3545">Please enter your email address!</p>
</div>
<div class="col-sm-auto col-12">
<input type="submit" value="Subscribe" class="btn btn--black btn--sm w-100" disabled="disabled">
</div>
</div>
<div class="google-recapth mt-15">
<div class="g-recaptcha" data-expired-callback="captchaExpires" data-callback="captchaComplete" data-sitekey="6Lc5EhgTAAAAAJa-DzE7EeWABasWg4LKv-R3ao6o">
<div style="width: 304px; height: 78px;">
<div><iframe title="reCAPTCHA" width="304" height="78" role="presentation" name="a-8upicsrnue1v" frameborder="0" scrolling="no"
sandbox="allow-forms allow-popups allow-same-origin allow-scripts allow-top-navigation allow-modals allow-popups-to-escape-sandbox allow-storage-access-by-user-activation"
src="https://www.google.com/recaptcha/api2/anchor?ar=1&k=6Lc5EhgTAAAAAJa-DzE7EeWABasWg4LKv-R3ao6o&co=aHR0cHM6Ly91bml0NDIucGFsb2FsdG9uZXR3b3Jrcy5jb206NDQz&hl=de&v=Hq4JZivTyQ7GP8Kt571Tzodj&size=normal&cb=ice7yndfatsh"></iframe>
</div><textarea id="g-recaptcha-response" name="g-recaptcha-response" class="g-recaptcha-response" style="width: 250px; height: 40px; border: 1px solid rgb(193, 193, 193); margin: 10px 25px; padding: 0px; resize: none; display: none;"
aria-label="recaptcha"></textarea>
</div><iframe style="display: none;"></iframe>
</div>
<p class="error-recaptcha d-none mt-15 text-danger" style="color: #dc3545">Please mark, I'm not a robot!</p>
</div>
</form>POST
<form method="post">
<input type="hidden" id="_wpnonce" name="_wpnonce" value="a54dd8cd17"><input type="hidden" name="_wp_http_referer" value="/unit-42-scpc-ssscip-uncover-smoke-loader-phishing/">
</form>Text Content
Menu
* Tools
* ATOMs
* Security Consulting
* About Us
* Under Attack?
*
* About Unit 42
* Services
Services
Assess and Test Your Security Controls
* Attack Surface Assessment
* Breach Readiness Review
* BEC Readiness Assessment
* Compromise Assessment
* Cyber Risk Assessment
* M&A Cyber Due Diligence
* Penetration Testing
* Purple Team Exercises
* Ransomware Readiness Assessment
* SOC Assessment
* Supply Chain Risk Assessment
* Tabletop Exercises
* Unit 42 Retainer
Transform Your Security Strategy
* IR Plan Development and Review
* Security Program Design
* Virtual CISO
Respond in Record Time
* Cloud Incident Response
* Digital Forensics
* Incident Response
* Managed Detection and Response
* Managed Threat Hunting
* Unit 42 Retainer
UNIT 42 RETAINER
Custom-built to fit your organization's needs, you can choose to allocate
your retainer hours to any of our offerings, including proactive cyber risk
management services. Learn how you can put the world-class Unit 42 Incident
Response team on speed dial.
Learn more
* Unit 42 Threat Research
Unit 42 Threat Research
Unit 42 Threat Research
* Threat Briefs and Assessments
Details on the latest cyber threats
* Tools
Lists of public tools released by our team
* Threat Reports
Downloadable, in-depth research reports
THREAT REPORT
2024 Unit 42 Incident Response Report
Read now
THREAT BRIEF
Russia-Ukraine Cyberattacks: How to Protect Against Related Cyberthreats
Including DDoS, HermeticWiper, Gamaredon, Website Defacement
Learn more
THREAT REPORT
Highlights from the Unit 42 Cloud Threat Report, Volume 6
Learn more
* Partners
Partners
Partners
* Threat Intelligence Sharing
* Law Firms and Insurance Providers
* Threat Intel Bulletin
THREAT REPORT
2022 Unit 42 Ransomware Threat Report: Understand trends and tactics to
bolster defenses
Learn more
THREAT BRIEF
Russia-Ukraine Cyberattacks: How to Protect Against Related Cyberthreats
Including DDoS, HermeticWiper, Gamaredon, Website Defacement
Learn more
THREAT BRIEF
Operation Falcon II: Unit 42 Helps Interpol Identify Nigerian Business Email
Compromise Ring Members
Learn more
* Resources
Resources
Resources
* Research Reports
* Webinars
* Customer Stories
* Datasheets
* Videos
* Infographics
* Whitepapers
* In the News
* Cyberpedia
Industries
* Financial Services
* Healthcare
* Manufacturing
THREAT REPORT
2023 Unit 42 Ransomware and Extortion Report: Get the latest multi-extortion
trends and insights to keep your organization protected.
Learn more
RESEARCH REPORT
Gartner Market Guide for Digital Forensics and Incident Response Services
Learn more
*
* Under Attack?
Search
All
* Tech Docs
Close search modal
UNIT 42 COLLABORATIVE RESEARCH WITH UKRAINE’S CYBER AGENCY TO UNCOVER THE SMOKE
LOADER BACKDOOR
* 874
people reacted
*
* 6
* 4 min. read
Share
By Unit 42
March 19, 2024 at 3:00 AM
Category: Malware
Tags: Advanced Threat Prevention, Advanced URL Filtering, Advanced WildFire,
Cloud-Delivered Security Services, Cortex XDR, Cortex XSIAM, DNS security,
next-generation firewall, Smoke Loader, Spear Phishing, UAC-0006, Ukraine
This post is also available in: 日本語 (Japanese)
EXECUTIVE SUMMARY
This article announces the publication of our first collaborative effort with
the State Cyber Protection Centre of the State Service of Special Communications
and Information Protection of Ukraine (SCPC SSSCIP). This collaborative research
focuses on recent Smoke Loader malware activity observed throughout Ukraine from
May to November 2023 from a group the CERT-UA designates as UAC-0006.
Unit 42 has been collaborating with Ukraine for many years to share actionable
intelligence and expertise. As the war in Ukraine enters its third year, Ukraine
faces an all-time high in both volume and severity of cyberattacks. Global
threat actors, including nation-states, cybercriminals and hacktivist groups,
are seizing the opportunity presented by the Ukraine conflict for their
malicious purposes. The SCPC SSSCIP has identified Smoke Loader as a prominent
type of malware used in recent attacks.
Also known as Dofoil or Sharik, Smoke Loader is a backdoor targeting systems
running Microsoft Windows. Threat actors have advertised this threat on
underground forums since 2011. Primarily a loader with added
information-stealing capabilities, Smoke Loader has been linked to Russian
cybercrime operations and is readily available on Russian cybercrime forums.
Ukrainian officials have highlighted a surge in Smoke Loader attacks targeting
the country’s financial institutions and government organizations. While Ukraine
has seen a rise in Smoke Loader attacks, this malware remains a global threat
and continues to be seen in multiple campaigns targeting other countries.
However, this surge of attacks suggests a coordinated effort to disrupt
Ukrainian systems and extract valuable data.
While Smoke Loader can be distributed through web-based vectors, attacks using
this malware against Ukraine have been detected in malicious emails from
phishing campaigns. The SCPC SSSCIP report provides detailed analysis on 23
waves of email-based attacks from May 10-Nov. 23, 2023. This report is most
beneficial to security professionals who study trends in attack chains, analyze
malware or are interested in deep technical analysis and detailed indicators of
compromise.
To review the technical aspects of these Smoke Loader campaigns in Ukraine,
refer to the SCPC SSSCIP report.
Readers can prevent Smoke Loader and similar malware attacks by prioritizing
security measures and cultivating smart online habits. Be extremely cautious
when opening email attachments or clicking links, especially from unknown
senders. Stick to trusted websites for downloads. Create strong, unique
passwords for online accounts, and stay informed of current cybersecurity
threats. These measures can significantly reduce the risk of falling victim to
malware like Smoke Loader.
Palo Alto Networks customers are better protected from the Smoke Loader samples
in the SCPC SSSCIP report through Cortex XDR and XSIAM, as well as through our
Next-Generation Firewall with Cloud-Delivered Security Services, including
Advanced WildFire, DNS Security, Advanced Threat Prevention and Advanced URL
Filtering.
If you think you might have been compromised or have an urgent matter, contact
the Unit 42 Incident Response team.
Related Unit 42 Topics Smoke Loader, Spear Phishing, UAC-0006, Ukraine
TABLE OF CONTENTS
Background on Smoke Loader
The UAC-0006 Group
Scale of the Attacks
Conclusion
BACKGROUND ON SMOKE LOADER
Also called Dofoil or Sharik, Smoke Loader is a malicious program that loads
other malware, although it has a range of other capabilities. A 2016 article on
Smoke Loader noted that an early version was first advertised in the criminal
underground as early as 2011. Various sources have documented Smoke Loader
activity since then, and numerous reports have been published, including an
analysis on Smoke Loader we released in 2018.
Smoke Loader has been distributed through email, and it has appeared as a
payload from web-based vectors like Rig Exploit Kit. We have even seen Smoke
Loader distributed as a payload from other malware like Glupteba.
Since it first appeared, reporting on Smoke Loader indicates that various groups
have used it against different industries and organizations across the globe.
These activities range from recent targeted cyberattacks in Ukraine to criminal
activity resulting in Phobos ransomware infections.
As well-known and currently active malware as a service, Smoke Loader is one of
many ideal candidates (from the threat actor perspective) for any attack,
including those reported by Ukraine SCPC SSSCIP.
THE UAC-0006 GROUP
On May 5, 2023, CERT-UA issued alert CERT-UA#6613, its first notification of
Smoke Loader activity under the UAC-0006 identifier. Throughout the remainder of
2023, the CERT-UA published five additional notices on the UAC-0006 group.
According to CERT-UA, the UAC-0006 group ranked first in the category of
financial crimes as of December 2023. UAC-0006 uses Smoke Loader to download
other malware, and the group uses this additional malware in attempts to steal
funds from Ukrainian enterprises. These attempts represent a significant
potential for financial loss.
While CERT-UA has not confirmed a specific threat actor behind these Smoke
Loader attacks, various sources suspect UAC-0006 might be associated with
Russian cybercrime.
SCALE OF THE ATTACKS
As previously noted, UAC-0006 ranks first in the category of financial crimes in
Ukraine as of December 2023. By October 2023, CERT-UA reported a surge in
UAC-006 activity, noting this group attempted to steal tens of millions of
hryvnias (Ukrainian dollars) from August-September 2023.
The SCPC SSSCIP report documents 23 waves of Smoke Loader attacks from May
through December 2023 based on our joint research. These campaigns have notably
increased the threat level for accountants in Ukraine and represent the
potential loss of 1 million hryvnias per week on average.
CONCLUSION
Palo Alto Networks collaborated with the SCPC SSSCIP to provide actionable
threat intelligence to mitigate Smoke Loader attacks targeting Ukrainian
organizations. Our joint research provides valuable insight into how attackers
leverage Smoke Loader in real-world campaigns. This includes understanding
initial attack vectors, types of secondary payloads and the overall objective of
the attackers. Our research was used to help develop our mutual defenses and to
disrupt the entire attack chain.
For a deeper understanding of the technical aspects of UAC-0006 Smoke Loader
campaigns in Ukraine, read the SCPC SSSCIP report.
A crucial element of defense against Smoke Loader is prioritizing security
measures and cultivating smart online habits. Be extremely cautious when opening
email attachments or clicking links, especially from unknown senders. Stick to
trusted websites for downloads, and create strong, unique passwords for all
online accounts. Stay informed on current cybersecurity threats. Such vigilance
should significantly reduce the risk of falling victim to malware like Smoke
Loader.
Palo Alto Networks customers are better protected from Smoke Loader through
Cortex XDR and XSIAM, as well as through our Next-Generation Firewall with
Cloud-Delivered Security Services, including Advanced WildFire, DNS Security,
Advanced Threat Prevention and Advanced URL Filtering.
If you think you might have been compromised or have an urgent matter, contact
the Unit 42 Incident Response team or call:
* North America Toll-Free: 866.486.4842 (866.4.UNIT42)
* EMEA: +31.20.299.3130
* APAC: +65.6983.8730
* Japan: +81.50.1790.0200
Palo Alto Networks has shared these findings with our fellow Cyber Threat
Alliance (CTA) members. CTA members use this intelligence to rapidly deploy
protections to their customers and to systematically disrupt malicious cyber
actors. Learn more about the Cyber Threat Alliance.
GET UPDATES FROM
PALO ALTO
NETWORKS!
Sign up to receive the latest news, cyber threat intelligence and research from
us
Please enter your email address!
Please mark, I'm not a robot!
By submitting this form, you agree to our Terms of Use and acknowledge our
Privacy Statement.
POPULAR RESOURCES
* Resource Center
* Blog
* Communities
* Tech Docs
* Unit 42
* Sitemap
LEGAL NOTICES
* Privacy
* Terms of Use
* Documents
ACCOUNT
* Manage Subscriptions
*
* Report a Vulnerability
© 2024 Palo Alto Networks, Inc. All rights reserved.
This site uses cookies essential to its operation, for analytics, and for
personalized content and ads. Please read our privacy statement for more
information.Privacy statement
Cookies Settings Reject All Accept All
Your Opt Out Preference Signal is Honored
PRIVACY PREFERENCE CENTER
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information on cookie consent
Allow All
MANAGE YOUR CONSENT PREFERENCES
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to
block or alert you about these cookies, but some parts of the site will not then
work. These cookies do not store any personally identifiable information.
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then
some or all of these services may not function properly.
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
Back Button
COOKIE LIST
Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
Reject All Confirm My Choices