THE SURGE IN SMOKELOADER ATTACKS ON UKRAINIAN INSTITUTIONS EXECUTIVE SUMMAR ' This report presents a troubling escalation in c yber threats by russian cybercriminals who have dramatically increased their use of Smokeloader malware against Ukrainian financial and government organizations since May of this year Smokeloader a sophisticated and evasive malware strain has become the weapon of choice for these threat actors enabling them to infiltrate and compromise critical institutions This report provides an in-depth analysis of the evolving tactics and strategies employed by thesE cybercriminals shedding light on their motives methodologies and potential impact The rise in Smokeloader-based attacks in the context of geopolitical tensions raises pressing concerns about broader threats for Ukrainian organizations which emerge not only from russian statesponsored APT threat actors but also from russian cybercrime groups SMOKELOADER MIST Emerging from the depths of the darknet market in 2011 the Smokeloader malware has evolved into a potent tool that has recently set its sights on Ukrainian organizations This malware boasts a sophisticated array of functionalities making it a prized asset for threat actors Its capabilities include discreet system infiltration data exfiltration and enabling remote access with remarkable finesse The price of admission to this malicious toolkit varies with options ranging from $400 for the basic bot to $1 650 for the complete package featuring all available plugins and functions Since May 2023 russian cybercrime threat actor have orchestrated a range of attacks against Ukrainian targets using Smokeloader as their weapon of choice Each month launching big waves of phishing attacks and leaning towards financial themes in malicious emails Activity by date 2023-10-01 2023-09-01 2023-08-01 2023-07-01 2023-06-01 2023-05-01 Figure 1 Chronology of threat actor activity Our extensive analysis of their network infrastructure reveals a striking prevalence of russian domain registrars like REGRU REGTIME and RU-CENTER hinting at possible connections to russian cybercriminal operations Domain Registrars R01-RU 77% REGRU-SU REGRU-RU 38% 26 9% RU-CENTER-RU 308% REGTIME-RU Center of Ukrainian 7 7 to Figure 2 Breakdown of domain registrars used by cybercriminals 23 1% DECEPTIVE TACTICS Recent Smokeloader campaigns have exhibited a high degree of sophistication in their tactics and methods with a pronounced focus on financial themes These malicious operations commence with meticulously crafted phishing emails designed to lure victims Financial themes dominate the content creating a sense of urgency and relevance for recipients Ha'lanbHl1K OTAena Fw PaxyHOK aKT 3BiK 1 To Reply-To r_ i- _1 · _ u -1 1 · 3 noaazo o KoneKmua nn Cy3ip'R nn KD381 jbKUU KYPiHb paxyHDK_c aKTY pa_ CCl 3p zip paxyHOK_tjlaKTypa_ C P-0001871_ra_ aKT_lBiP• -••A_29_09_2023p zip Figure 3 Financially themed phishing email with Smoke oader However the true deception lies in the attachment - typically an archive file encapsulated multiple times Inside this digital labyrinth buried amidst seemingly benign documents are the financially themed files that serve as the ultimate bait Victims are led through these encapsulated layers until they reach the heart of the payload Smoke loader Notably these campaigns have displayed telltale signs that hint at the involvement of russian cybercriminals Misspellings and discrepancies in the names of Ukrainian documents within the malicious attachments suggest a lack of linguistic finesse n2 613 712 602 Fik Ii Pu_9312_0580J9« _3255_29 o9 2023p JJ 1¥ I 1•' •lt'f_MllP'-KJ L29-Jllt2023p J • UA4 930mOOODOOM l2711166lmJPEG bt __ _ _•IIC r4 S CUF a kt pe g ·- ' '• ' c P J c l m m 'JIIIISetup l a1111ent9312 0580 694' 3255 bat LAt • ' 51 l nt ' Ove n u te 2 opdaee o Lure image Figure 4 Example of Smokeloader infection chain O _ HKUK _ In the process of main payload malware extraction legitimate financially themed documents are displayed to the victims to reduce suspicion and make it look more credible Serving as a decoy these legitimate documents are stolen from previously compromised organisations Per its execution Smokeloader malware unfolds as a complex and clandestine operation and once unveiled it embarks on a mission to establish connections with a pre-defined list of domains Notably this list of command and control C2 domains is meticulously hardcoded within the malware's configuration Version 2022 C2 list http super777bomba ru http dublebomber ru http yavasponimayu ru http nomnetozhedenyuzhkanuzhna ru http restmantra by http prostosmeritesya ru http iloveua ir http kozachok777 ru http ipoluchayteudovolstvie ru http propertyminsk by http tvoyaradostetoya ru http propertyiran ir http moyabelorussiya by However the craftiness of Smokeloader lies in its selective communication Many of these domains remain intentionally inaccessible acting as digital decoys to divert attention and complicate detection efforts MUL Tl FACETED FUNCTIONALITY Smokeloader a long-standing presence on darknet markets since 2011 emerges as a multifunctional and highly evasive malware strain It boasts a formidable repertoire of functionalities designed to safeguard itself from analysis and detection This malware's selfpreservation tactics include an array of anti-debug anti-hooking and anti-VM features creating a digital fortress that challenges cybersecurity experts Beyond mere self-defense Smokeloader exhibits a cunning ability to extract crucial system information such as operating system details and geographical data offering threat actors valuable insights into the infected system's environment Employing techniques like process hollowing and a variety of evasion strategies Smokeloader adeptly conceals its presence slipping through security measures undetected 3APaBCTBYl1Te y la aeMb1e j opyM4aHe np8AMf'aJO BaM co6cTBeHH 'IO paapal5on y Smoke Bot - 3TO MOA 'JlbHblii OOT 8 OCHOBB KOToporO McnoJlb3Y8TCR q yHK4MOHart pea11Ae mmro JlOSAepa n peMMVWeCTBa - Ha11M4Me MOAYJleii-Maf'MHOB KOTopble pacwMpRIOT l YHK4MOHal1 6ara npM 3TOM He BJlMRIOT Ha P83Mef 6ora He Hyll j aJOTCR 8 KPMnTOBaHMM - OOAP06HaR CT8T o1CTMK8 no aepcMRM OC paap 1AHOCTb npMaMJ1er M crpaHaM oHJ1aiiHY - OOAPQ6HaR CTanlCllolK8 no 38A8H _ aarpyaKM aanycio orpaHM48H 8 Ha KQnM4ecTBO II T n - JaAaH IIR Alll1 6ora Ha aarpyaKy EXE MJlM DLL loadlibrary regsvr32 aanycK M3 JlaMRT o1 6e3 COXpaHeHIUI Ha AMCK - reo-rapnmtHr Bbl6opo4Hble 3arpyaKM TOJlbKO All KOHKpeTHblX crpaH MJ1'1 6110io poaKa AJ1R onpeA8118HHblX crpaH - nepcOHallbHble 38A8H AJ1R KaJK Oro 6oTa B03MO KHOCTb 6aHa MJlH YA3J18HlolR 6oTa - noAAeplKl B KTTI'S Cl a'ilolBaHlole j ai Jloe c SAM'IHKM IIJlM APYrOro URL - H83aMeTHaR ycrnHoeKa a CMCTeMe a ITTa co6craBHHbO llai111oe - 803MO l HOCTb oGHOBJ18HlolR 6oTa lol P838pBHbl8 3APeca All OTCT 'Ka - B03MOJt HoCTb MCnOJlb30BaH'1R npe j '1KCOB ID AAA exe 6o11ee TOYHW CTBTMCTMKa lol pa3A8J18H'1e JaAaHMI - lolCKJllOYBHlole noBTOpHoro aanycKa Ha M3W'1H9 C y l e pai5oraJOU1 M OOTOM B paMKal OAHOM 111ol 8H311'1 - rOCTeeoo• AOCTYn K CTaT o1CTMKe 38A8H'1ii - o6X0 1 npoaKTMBHblX M8XaH'13MOB A8 H l 8Kllolp083HM8 B AOB8P8HHblH npo ecc - OOBblWBHMe np11e11nen 11 Low- Hlgh runas cmd JaAliH - a HT ioTna QK aHTMaMy-ru iUM A0Tetcno1posaHMe oeco4HMl4 BMPTYanbHbtX Mawv1H - ooroK a 1 pMmoeaH1o1M He COA8P l lo T a ce6e AononHMTeJlbHblX DLL oaepneee TLS scero QAHa ceK KOAB - pa6ora a Wrndows 7-10 x32 x64 • H86011•wo'1 paaMep 6ora -35 K6 Figure 5 Thread of selling Smokeloader ma ware on the darknet forum O HKUK '_ _ _ w Further enhancing its capabilities Smokeloader encompasses a modular design facilitating the expansion of its functionality These modules empower the malware to adapt and evolve tailoring its malicious operations to the specific objectives of the threat actors Module STEALER Features Collects credentials and cookies from different applications browsers email clients FTP FORM GRABBER Intercepts web browser POST requests before they go through encryption PASS SNI FFER Intercepts credentials of most common applications and protocols FTP POP3 IMAP SMTP FAKE DNS DNS Spoofing Returns incorrect IP address for domain name according to the specific rule FILE SEARCH Performs search of files and sends them to adversaries PROCMON DDOS Monitors and interacts with processes Executes DDoS attacks KEY LOGGER Intercepts keystrokes REMOTE PC Surveys and controls remote PC with file manager features EMAIL GRABBER Collects email addresses O _ HKUK _ ilM'' ' _ In some recent cases the attackers managed to compromise the process of money transfers effectively seizing control of the transaction flow Instead of funds reaching their intended destination the attackers cunningly substituted the legitimate account details with their own This resulted in divertion of organization's funds into the coffers of the attackers Such instances underscore the evolving tactics of cybercriminals who now not only seek to infiltrate but also manipulate critical financial processes to siphon off resources 81Al'mlC IETU51 IA LISI Ail l'Qll· t74 T XIA'I • Ott b'C· IS'I t • JA'St'S-0 --- __ I OAOS •ti ' ' '0 Sfw - ilt mw- - SJwttoWS 10 - --· - - 1 74 -lZ S- l il 1 • 114 1• a n-21 C 11t OOWSH Q AO·l E Jw J WSVISTA· 1 t t n - - IP-- - • C- 7 I Dl- 4 i iltt- 1 O nt•Z - 1 P - 0 40·1 1 111 l UA - 1 l 'DRMFMJ lfti fG• lt I ot-SJ nH-28 1 t-1 1 IQ' Cl-I uuaaots - ID A5-t38t88165JIIM1 E4DCU17SZa ecFt K lt 4 iP IJP 19 29 0 1 51 EiTH I MTf 0 0S 2017 l 50 •2 ID IDCR 9C' 33 511IAI06l l9 S61 I IP 15619 ' IO 11 fG fDAtf 1mns zo11 -n 0 • 1 to f t l 47Cl f%386 0fl l tBICCl££CD6£92 1tP' 1115 10 1'1 ZJII I • OZ IOATI 2CIJJ5 2nL7 2 50 37 ID1 11 ac-«11 0C03- ffll 1P l IOU tl tt7 I ll 0 IOAlt 20 05 ltlt7 · 31 i to Bt f 4 016 1101h06E 102fftrAOr i I IP 41 i6 98 t I C 02 1DATL 'O OS 2011 Z2 S0 3 SMOtEf Ol l1•w 05 2017 0Aff 005 xll7 OMt 22 $0 • Figure 6 Smokeloader admin panel O _ HKUK _ ···-·· CONCLUSION The recent surge in Smokeloader attacks orchestrated by russian cybercriminals against Ukrainian institutions underscores the everevolving and diversified nature of cyber threats facing the nation These assailants have not only intensified their operations but have also demonstrated a remarkable adaptability in their tactics targeting the heart of financial operations The threat landscape in Ukraine has thus evolved into a multifaceted arena with financially motivated cybercriminals joining the fray alongside state-sponsored actors In light of these developments organizations in Ukraine are urged to remain vigilant and proactive in their cybersecurity posture It is imperative to invest in personnel training to enhance awareness about financially themed phishing emails the primary entry point for Smokeloader attacks Securing endpoints configuring intrusion detection systems IDS for real-time threat detection and implementing strict restrictions on the execution of scripts and executables from archives are essential measures to fortify defenses Furthermore continuous threat intelligence gathering and sharing through platforms like MISP Malware Information Sharing Platform for indicators of compromise are critical Staying updated about emerging threats and the tactics employed by adversaries is paramount for building a resilient defense against the evolving Smokeloader threat and its multifaceted challenges In this dynamic landscape proactive and collaborative cybersecurity efforts are the keys to safeguarding Ukraine's digital frontiers INDICATORS OF CC MPROMISE OF THE LATEST CAMP'AIGN Type domain domain domain domain domain domain domain domain Value dublebomber ru ·•··••····•··•···•·············•····••·••·········· yavasponimayu ru nomnetozhedenyuzhkanuzhnaL ru prostosmeritesya ru ipoluchayteudovolstvie ru super777bomba ru specnaznachenie ru zakrylki809 ru ___ l_c ii 1 1 - ------ __ ___ propertyminsk by iloveua ir moyabelorussiya by domain tvoyaradostetoya ru domain zasadacafe by domain restmantra by domain kozachok777 ru domain propertyiran ir domain sakentoshi ru domain ··························•············· domain popuasyfromua ru ··················••········•·•······ domain diplombar by domain ukr-net-download-files-php-na me ru ip-address 85 143 172 45 sha256 fdf8a89e8c9oedo65378oacc77c180185b897ie62d2ao2dcaabcfc456do5bd96 sha256 493f708129bf25ff4bb734c179d336f223d9d21ea53b7e5e52f9535a72415bfd sha256 6999f5f3c6824f27b5arlb436c59d369f6fieco8365d48cd1c8d21d1058eaafc sha256 9a528b2b31d9d59018878fdf3b9dl8db235df6065ooc67a4b8be3075701bo14fc sha256 d895f4oag94cb90416881b88fadd2de5af165eec1cd41bodddo8fa1d6b3262bb sha256 2c44c9b445d2efc2f46e463d933da2ffc1d3ba6718bd67d3957c3f916b7c79fe sha256 41b74077e7707dfce2752668a32oie3bc596ade5594535c266e3249c2e697cb2 sha256 4oc9bc7186f21b6e2a7da28632e7od9b9bceo1cc63c692d4383aco3e13e45533 sha256 ac1aedd7do8d3e92ded28do7944d8a803965oa36dec8b4a5d7b675ce2c5512c4 sha256 ebbf474d69519b7ded6oc1dab807dab492c33d9caf76e6495c2ee92be573011e sha256 739e735aa73cfdbfco8c696eo426434aa7813911ob416313d2a39d93915ee318 sha256 · of93344347469ebef7bod6768f6f50928b8e6df7bc84a4293b7c4a7bb5b98072 sha256 7d7262ab5298abdoe91b6831e37efo156ded4fdceeaf8f8841c9a8od3if33f8e sha256 b24c99ca816f7ac8ca87a352ed4f'44be9d8a21519dd1f408739da958b58obeoc sha256 cfc44f1399e3d28e55c32bcc73539358e5ac88cod6a19188a52b161b506bea91 sha256 a8a313oc779904e23b5od69b4e7 1a714b345e296feebb9f64a732d5c73e7973b sha256 oa83fcbob4of35bf6020ad35cedf56b72a6f650 6dc781b2ea1c9647eof76cc filename 1 PaxyHOK-AO_aKry_Hn -O1O14O54 b-BiA-3O O9 2O23_O11O2O23223751 XLS js filename 2 AKT-3BipKLt1_BiA-O3 1O 2023_Pax_UA493O777OOOOOO26OO2711166194 XLS js filename 3 Bvim r_3_peecrpy_si A_o3 1O 2O2 1-Pax_U A4930777OOOOOO26OO271116619 4 XLS js filename mstsc exe filename __Cnlt1COK Jl OKyMeHTiB-AJ 5l_03HaKo MneHH5l pdf --- ___ filename Cnlt1COK-AOKyMeHTiB-AJ 5l_03Hal 10MneHH5l Zip domain INDICATORS OF COMPROMISE OF THE LATEST CAMPAIGN Type P 3 r 11 filename filename filename filename filename filename filename filename filename filename Value CnL-1COK_JJ OKyMeHTiB--Af151_03Hal 10M leHH51 Zip 1L-1CT pdf 2 AKT_3sip KL-1_sip _03 10 2023_Pax_U A493077700000026002711166194 XLS js mstsc exe flL-1CT zip 3A5l BA xlsx PaxyHOK_JJ 0_onnarn_389 zip PaxyHoK_JJ o_onnarn_389 pdf PaxyHOK A0_onnarn_389 exe pax __389 exe PaxyHoK_JJ o_onnarn_389 zip