Unmasking UAC-0006: Group Behind Smoke Loader Backdoor

In a troubling escalation of cyberattacks linked to the ongoing conflict, Ukraine’s cybersecurity agency (SCPC SSSCIP) reports a relentless wave of assaults using the Smoke Loader backdoor. Working closely with Unit 42 researchers at Palo Alto Networks, the agency has uncovered a disturbing trend linked to a group designated as UAC-0006.

What is Smoke Loader?

Smoke Loader, also known ominously as Dofoil or Sharik, is a veteran of the cybercrime underworld. This backdoor malware has been a tool of choice for attackers since at least 2011. Smoke Loader backdoor, predominantly targeting systems running Microsoft Windows, has been a tool of choice in the arsenal of Russian cybercriminals, advertised openly on underground forums. With the capability to load other malware and steal information, Smoke Loader’s evolution has been well-documented, morphing from a mere payload deliverer to a potent threat in its own right.

The recent surge of Smoke Loader activity in Ukraine, observed from May to November 2023, signals a dire need for vigilance. Targeting financial institutions and government organizations, these attacks aim not only to disrupt but to siphon off valuable data and funds, posing a significant threat to the nation’s stability and security.

Why the Surge in Ukraine?

Ukraine has seen an unprecedented rise in Smoke Loader attacks aimed squarely at its financial institutions and government. This isn’t the first time this malware has been used in the conflict, but the sheer intensity suggests increased coordination and a clear intent to both steal funds and undermine Ukraine‘s ability to resist.

The SCPC SSSCIP report meticulously tracks 23 distinct waves of these attacks from May to November 2023 alone. The potential impact is staggering – CERT-UA, the Ukrainian cybersecurity watchdog, states that UAC-0006 is the primary financial cybercrime threat the country faces.

How Smoke Loader Spreads

Unlike some malware that relies on technical exploits, Smoke Loader primarily gains a foothold through social engineering – phishing emails that trick users into opening malicious attachments or clicking dangerous links. The SCPC SSSCIP report outlines 23 waves of these email-based Smoke Loader attacks between May and November 2023.

The Unit 42 and SCPC SSSCIP joint research provides a granular view of the tactics, techniques, and procedures (TTPs) employed by these adversaries. For technical details and in-depth analysis, see the original report.

Who’s Behind It?

While not definitively proven, links to Russian cybercrime gangs are suspected in the UAC-0006 attacks. CERT-UA, Ukraine’s cybersecurity arm, ranks this group as a top financial threat. Millions of hryvnias (the Ukrainian currency) have been targeted just in the past few months.

The Wider Conflict

The surge in Smoke Loader attacks underscores the devastating cyberwarfare dimension of the current Ukraine conflict. It’s a reminder that cybersecurity is no longer just about protecting our wallets – it’s about safeguarding the infrastructure and information our societies depend on. As the conflict continues, attacks like these may increase in both intensity and number, affecting not just Ukraine but potentially having spillover effects globally.