Malware was installed using phishing messages and an exploited vulnerability.
At least nine government and non-governmental entities in Ukraine were compromised with the SmokeLoader malware.
Research by Trend Micro determined that the malware was installed due to a vulnerability in the 7-Zip archiver tool, reports The Hacker News. The company determined that malicious emails, purporting to be breach notices from Ukrainian government bodies, were used by threat actors to facilitate the distribution of an archive file that utilises a homoglyph attack.
Ongoing attacks exploiting the 7-Zip issue, which could facilitate Windows Mark-of-the-Web protection bypass and arbitrary code execution, should prompt immediate upgrades to the latest 7-Zip version, adoption of email filters, and deactivation of untrusted file execution capabilities, said researchers.
They also noted the targeting of smaller government organisations as part of the campaign could serve as a springboard for more damaging intrusions.
Written by
Dan Raywood
Senior Editor
SC Media UK
Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.
Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.
