A financially motivated threat actor, UAC-0006, is conducting an advanced phishing campaign targeting PrivatBank customers, using password-protected archives to deploy the SmokeLoader malware. CloudSEK researchers discovered that phishing emails contain malicious JavaScript files disguised as legitimate documents, which, once executed, inject code into Windows processes and execute PowerShell commands to download the malware. The attackers use various evasion techniques, including password protection, LNK files, and legitimate system binaries to bypass detection. There are overlaps in tactics between UAC-0006 and Russian-linked groups like FIN7 and EmpireMonkey, suggesting potential ties to Russian APT activity. The campaign poses significant risks, including financial data theft, credential harvesting, espionage, and potential supply chain attacks. Continue here.
