GetSmoked: UAC-0006 Returns with SmokeLoader Targeting Ukraine's Largest State-Owned Bank

    Tuesday, February 11, 2025 In: Threat Research Print

    Date: 02/11/2025

    Severity: High

    Summary

    "GetSmoked: UAC-0006 Returns with SmokeLoader Targeting Ukraine's Largest State-Owned Bank" highlights a phishing campaign by the financially motivated threat actor UAC-0006, aimed at customers of PrivatBank, Ukraine’s largest state-owned bank. The campaign uses password-protected archives with malicious scripts to evade detection and delivers SmokeLoader payloads through process injection, PowerShell, and system binaries, enabling C2 communication. The tactics of UAC-0006 show similarities with those of FIN7, indicating possible ties to Russian APT activity.

    Indicators of Compromise (IOC) List

    URL/Domain

    http://89.23.107.219/privat.exe

    http://3-zak-media.de/temp/paxynok_privatbank_06_01_2025p.zip

    http://3-zak-media.de/temp/gate.php

    http://89.23.107.219/invoce.pdf

    http://89.23.107.219/final.mp4

    http://spotcarservice.ru/fdjskf88cvt/invoce.pdf

    http://spotcarservice.ru/fdjskf88cvt/invoce2.pdf

    http://spotcarservice.ru/fdjskf88cvt/putty1.exe

    http://spotcarservice.ru/fdjskf88cvt/yumba/putty.exe

    http://3-zak-media.de/krayer-buergerschaft/Web/bilder/putty1.exe

    http://cityutl.ru/download/pax.pdf

    http://cityutl.ru/download/putty.exe

    connecticutproperty.ru

    constractionscity1991.lat

    restructurisationservice.ru

    spotcarservice.ru

    3-zak-media.de

    cityutl.ru

    IP Address

    94.156.177.51

    89.23.107.219

    109.70.26.37

    Hash

    0a898f1df135d52ef5006f8dba9e9fce4ab4a85e07a9417f39c7612113eb6210

1043ce610dd6e8b0cda635dbe1f15524c25d816f89ad22f9bc34403ef8e771cc

107190bb8f28ed2bb2f0883ae1fbfe0e50cacc54c17dc526c865f6f46f40107a

119b79b9cdb773dc951c36fe35ea0237e5f035bda6493103399e3697dc929c3d

21bbe1929d20c5525349dabe58748798f9cdaa1abd25f13dc98b4c0b8ffdde23

31ba8ceffe689b570dc696c97291780288f16a15f91d3e55bf13d7dcdf3858a9

3216f4728788cc9a0416290d31a2fdc97bcd3f028582efc52dc1cd8208f0cebd

38eb41eebbc889d046d354de345cf7c073971f62c2aaf53163ecefb7914273cc

3998a0d2e96417ce234a79897df8bcb879295043ce3d7f188c7b3de7375b26e5

3bfb1a880ea62bb4ad24e98a3a641b85e2392942af59727701c57ed094e5554e

4a559be38d60d64cb378643cc4332f40fe94d5f6c4f71a4f593e4efcd918349c

4abf59022d70abac175ddd896e4d709d256ca56a7a9dd8a9805eb5f2af490576

527a4b00fc95ecb9c1308ccc4ebd6bac7c03053e8ed11cdeb08ac3a6af8775c3

5b259a3ce6c0ce88690eb15d71162a930f267d960e26e88d37c92403d747f44a

6d29acbbaf0c75eca458e3936dea7d20fceca415b897573b704d151c7e9261b8

75f20c4171c699a991c45671b46174b0879e1fcf83ee4cdc63af8d6a833698b3

7c3a1bbbcbd2a328d8fb70efbdc55efaeb23b8511955109facef5c6c20350afb

8a6466093bc38a5d075148fde75952372ab5d7bb991b74773d5e019e0e0145f0

993518e45c78f9cc19daefbabef980e2e16a5e2fa11036f1e98c6446efb38676

9aad92a2d4b310a344f102436f12d29c7ac635478918874181a18182e4f530b4

a2b10deef491ec1430f65157a411a47de0e9ad1431518b2fa4fe5f18a4f3e2bd

b62d21ec1f54e7f7d343bc836e87a13adf9f40f87fc54a7d3788baea9a2c2b08

b815638024caac8bb7e482465564ec2a091f2af52cbf635be268e9093cbc4e92

bfc7164ed334044c780f0f15b56b559dfabbb0007ba268c180a281ac5bcc1f19

cd8dc77de5811a6a215e74cf61b3c34fcf28d5a05df5e4fc26fc9ad2ee72868b

d143873322c13496b2fc580c07fead99c1679afe831202913cee522d88ff7795

d35cd24668474580161008eb655ce979400e382a58f0e6967b10a4d86343b6ec

ee5a55588bbdfe6749da1962a9b7d1b29a87a10a324347070edd9e8ec33f7c82

f1d97e23cb0820e851d457dbb930576890e5bc6313cdf30d09f160cbdcdac90f

f4222b240f88d43e6c63b9d9c09d93c10ba882b91fc4a61c0cd833f7c79b4c44

f72f2e0f0873885313dbde954f26acd1c02ed963512111b3f00cf7e9cd6e5e6d

e8b08cb0774145ac432406f5e579aabaddb485ad29ba7d1eb1c5fb3000c5eefa

7722151293bdc50640c719a55438ffd663a3d2bccc70392cdce8052b651afea0

9833cbd22fd50181f8939114920e883bacf8d727337f5dcdf4450d0312eca188

a3aac43dd6a592c9ec58121a09c8cd22fb1b2d05ca1ff91259e43565d5e33022

e0c57518aeef787bcf7cc13484486cfa48458bdf6b0baee02598e777a3ef83f2

97fe6b08d8a40c1f6990ca5c7405fdc98e014cf1fdfc2646580bffd34c1160ec

5a0b48ccc1a353c4ace5e9626f17622611432a016577797d4c891ca945ffa7f8

476a8e2d8eae4d2315e719bf67be312c5e88476509bdbac2dffee48986ad54c1

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    userdomainname like "http://3-zak-media.de/temp/paxynok_privatbank_06_01_2025p.zip" or url like "http://3-zak-media.de/temp/paxynok_privatbank_06_01_2025p.zip" or userdomainname like "http://89.23.107.219/final.mp4" or url like "http://89.23.107.219/final.mp4" or userdomainname like "constractionscity1991.lat" or url like "constractionscity1991.lat" or userdomainname like "http://3-zak-media.de/temp/gate.php" or url like "http://3-zak-media.de/temp/gate.php" or userdomainname like "http://3-zak-media.de/krayer-buergerschaft/Web/bilder/putty1.exe" or url like "http://3-zak-media.de/krayer-buergerschaft/Web/bilder/putty1.exe" or userdomainname like "spotcarservice.ru" or url like "spotcarservice.ru" or userdomainname like "http://spotcarservice.ru/fdjskf88cvt/yumba/putty.exe" or url like "http://spotcarservice.ru/fdjskf88cvt/yumba/putty.exe" or userdomainname like "http://89.23.107.219/invoce.pdf" or url like "http://89.23.107.219/invoce.pdf" or userdomainname like "3-zak-media.de" or url like "3-zak-media.de" or userdomainname like "http://cityutl.ru/download/pax.pdf" or url like "http://cityutl.ru/download/pax.pdf" or userdomainname like "http://spotcarservice.ru/fdjskf88cvt/putty1.exe" or url like "http://spotcarservice.ru/fdjskf88cvt/putty1.exe" or userdomainname like "restructurisationservice.ru" or url like "restructurisationservice.ru" or usersomainname like "http://89.23.107.219/privat.exe" or url like "http://89.23.107.219/privat.exe" or userdomainname like "http://spotcarservice.ru/fdjskf88cvt/invoce.pdf" or url like "http://spotcarservice.ru/fdjskf88cvt/invoce.pdf" or userdomainname like "http://spotcarservice.ru/fdjskf88cvt/invoce2.pdf" or url like "http://spotcarservice.ru/fdjskf88cvt/invoce2.pdf" or userdomainname like "http://cityutl.ru/download/putty.exe" or url like "http://cityutl.ru/download/putty.exe" or userdomainname like "connecticutproperty.ru" or url like "connecticutproperty.ru" or userdomainname like "cityutl.ru" or url like "cityutl.ru"

    Detection Query 2

    dstipaddress IN ("109.70.26.37","94.156.177.51","89.23.107.219") or ipaddress IN ("109.70.26.37","94.156.177.51","89.23.107.219") or publicipaddress IN ("109.70.26.37","94.156.177.51","89.23.107.219") or srcipaddress IN ("109.70.26.37","94.156.177.51","89.23.107.219")

    Detection Query 3

    sha256hash IN ("b62d21ec1f54e7f7d343bc836e87a13adf9f40f87fc54a7d3788baea9a2c2b08","7722151293bdc50640c719a55438ffd663a3d2bccc70392cdce8052b651afea0","993518e45c78f9cc19daefbabef980e2e16a5e2fa11036f1e98c6446efb38676","f4222b240f88d43e6c63b9d9c09d93c10ba882b91fc4a61c0cd833f7c79b4c44","119b79b9cdb773dc951c36fe35ea0237e5f035bda6493103399e3697dc929c3d","cd8dc77de5811a6a215e74cf61b3c34fcf28d5a05df5e4fc26fc9ad2ee72868b","bfc7164ed334044c780f0f15b56b559dfabbb0007ba268c180a281ac5bcc1f19","5b259a3ce6c0ce88690eb15d71162a930f267d960e26e88d37c92403d747f44a","0a898f1df135d52ef5006f8dba9e9fce4ab4a85e07a9417f39c7612113eb6210","97fe6b08d8a40c1f6990ca5c7405fdc98e014cf1fdfc2646580bffd34c1160ec","a2b10deef491ec1430f65157a411a47de0e9ad1431518b2fa4fe5f18a4f3e2bd","6d29acbbaf0c75eca458e3936dea7d20fceca415b897573b704d151c7e9261b8","38eb41eebbc889d046d354de345cf7c073971f62c2aaf53163ecefb7914273cc","1043ce610dd6e8b0cda635dbe1f15524c25d816f89ad22f9bc34403ef8e771cc","d143873322c13496b2fc580c07fead99c1679afe831202913cee522d88ff7795","21bbe1929d20c5525349dabe58748798f9cdaa1abd25f13dc98b4c0b8ffdde23","3216f4728788cc9a0416290d31a2fdc97bcd3f028582efc52dc1cd8208f0cebd","9aad92a2d4b310a344f102436f12d29c7ac635478918874181a18182e4f530b4","476a8e2d8eae4d2315e719bf67be312c5e88476509bdbac2dffee48986ad54c1","e8b08cb0774145ac432406f5e579aabaddb485ad29ba7d1eb1c5fb3000c5eefa","75f20c4171c699a991c45671b46174b0879e1fcf83ee4cdc63af8d6a833698b3","f72f2e0f0873885313dbde954f26acd1c02ed963512111b3f00cf7e9cd6e5e6d","527a4b00fc95ecb9c1308ccc4ebd6bac7c03053e8ed11cdeb08ac3a6af8775c3","5a0b48ccc1a353c4ace5e9626f17622611432a016577797d4c891ca945ffa7f8","3998a0d2e96417ce234a79897df8bcb879295043ce3d7f188c7b3de7375b26e5","d35cd24668474580161008eb655ce979400e382a58f0e6967b10a4d86343b6ec","3bfb1a880ea62bb4ad24e98a3a641b85e2392942af59727701c57ed094e5554e","107190bb8f28ed2bb2f0883ae1fbfe0e50cacc54c17dc526c865f6f46f40107a","31ba8ceffe689b570dc696c97291780288f16a15f91d3e55bf13d7dcdf3858a9","4a559be38d60d64cb378643cc4332f40fe94d5f6c4f71a4f593e4efcd918349c","4abf59022d70abac175ddd896e4d709d256ca56a7a9dd8a9805eb5f2af490576","7c3a1bbbcbd2a328d8fb70efbdc55efaeb23b8511955109facef5c6c20350afb","8a6466093bc38a5d075148fde75952372ab5d7bb991b74773d5e019e0e0145f0","b815638024caac8bb7e482465564ec2a091f2af52cbf635be268e9093cbc4e92","ee5a55588bbdfe6749da1962a9b7d1b29a87a10a324347070edd9e8ec33f7c82","f1d97e23cb0820e851d457dbb930576890e5bc6313cdf30d09f160cbdcdac90f","9833cbd22fd50181f8939114920e883bacf8d727337f5dcdf4450d0312eca188","a3aac43dd6a592c9ec58121a09c8cd22fb1b2d05ca1ff91259e43565d5e33022","e0c57518aeef787bcf7cc13484486cfa48458bdf6b0baee02598e777a3ef83f2")

    Reference:

    https://www.cloudsek.com/blog/getsmoked-uac-0006-returns-with-smokeloader-targeting-ukraines-largest-state-owned-bank#Appendix


    Tags

    MalwareAPTRussiaPhishingSmokeLoaderUkraineFinancial Services

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.