Attackers weaponize Microsoft Access documents to execute malicious code

In numerous assertive phishing shots, the financially motivated association UAC-0006 laboriously targeted Ukraine, using ZIP and RAR extensions to spread SMOKELOADER malware. The most current attacks involve emails that carry Microsoft Access files and ZIP archives that, when extended, install weaponized malware on compromised systems, such as RMS and TALESHOT. The government computer emergency reaction team of Ukraine, CERT-UA, observed this unique activation of the financially motivated group UAC-0006.

A brief overview of UAC-0006's recent activities

According to CERT-UA reports, assaulters have established at least two movements to communicate the SMOKELOADER malware as of May 21, 2024. The SmokeLoader malware primarily impacts Windows-based devices. SmokeLoader tries to establish other malware (such as ransomware, cryptominers, or password robbers) on a computer after it has contaminated it. It might also rust files, rob personal data, and cause other issues.

The current attacks contain emails with a ZIP archive that may include the following:

  • The.IMG file includes EXE files.
  • Microsoft Access (ACCDB) records with macros that ensure the PowerShell order to install and establish the EXE file is managed.

As early, as RMS, TALESHOT, and different negative applications are packed into the machine following a main attack that is successful. Several hundred compromised PCs are presently in the bot network. CERT-UA anticipates an expansion in fake through small banking systems soon.

Recommendation

Thus, it is recommended that company managers take notice of the demand to improve the protection of computerized analysis workspaces as soon as possible. This can be done by checking the suggested signs of settlement and confirming that the right policies and security tools are utilized. SOC Prime Platform supplies curated and tested detection algorithms to help defenders prevent attacks linked to the UAC-0006 adversary action described in the most current CERT-UA information.