Full Report
A new phishing attack by UAC-0006 has been discovered targeting PrivatBank with malicious files in password-protected archives to evade detection
Analysis Summary
# Threat Actor: UAC-0006
## Attribution & Identity
* **Identification:** Financially motivated threat group UAC-0006.
* **Aliases/Associations:** The group's recent adoption of LNK files suggests an operational overlap with **FIN7**, **EmpireMonkey**, and **Carbanak**.
## Activity Summary
UAC-0006 has been running a sophisticated, financially motivated phishing campaign since at least November 2024. The primary target identified is **PrivatBank**, Ukraine’s largest state-owned financial institution. The ultimate goals include data compromise, facilitating fraud via stolen credentials/financial information, and credential harvesting for unauthorized access to banking and corporate accounts.
## Tactics, Techniques & Procedures
* **Initial Access:** Deployment of malicious email attachments disguised as invoices.
* **Evasion:** Utilizing password-protected ZIP or RAR archives containing malicious payloads (JavaScript, VBScript, or LNK files) to evade detection.
* **Execution & Persistence:**
* JavaScript and VBScript files executing PowerShell commands.
* Injecting malicious code into legitimate Windows binaries.
* Adoption of LNK files as a new attack vector (mirroring FIN7 tactics).
* **Command and Control (C2):** Communication utilizing **SmokeLoader** malware.
* **Other Observed TTPs:** Use of PowerShell and process injection. (Specific MITRE ATT&CK IDs were not provided in the source material).
## Targeting
* **Sectors:** Financial Services (Banking).
* **Geography:** Primarily focused on Ukraine (specifically targeting PrivatBank).
* **Victims:** Customers of PrivatBank; potential downstream supply chain entities due to impersonation tactics.
## Tools & Infrastructure
* **Malware Families Used:** SmokeLoader (used for C2 communication).
* **Infrastructure (C2, domains, IPs):** Not specified, beyond the use of SmokeLoader for C2 communication. (No URLs or IPs were provided to defang.)
## Implications
UAC-0006 demonstrates continued operational evolution, adopting newer techniques like LNK file abuse, signaling increasing sophistication among financially motivated cybercrime groups. The targeting of a major national bank poses significant risks for financial fraud, credential compromise across the financial sector, and widespread reputational damage to targeted institutions and the broader supply chain.
## Mitigations
* Implement proactive monitoring and blacklisting of URLs, IPs, and file hashes associated with UAC-0006 activities.
* Conduct regular and updated security awareness training focused on identifying sophisticated phishing attempts, especially those involving password-protected archives.
* Establish robust incident response protocols specifically tailored for detecting and mitigating payload execution via VBScript, JavaScript, and LNK files.
* Monitor for indicators of SmokeLoader and process injection activity.