Executive Summary

The ongoing phishing campaigns by UAC-0006, a financially motivated threat actor, are targeting the customers of Ukraine’s largest bank, PrivatBank. This campaign uses password-protected archives containing malicious JavaScript, VBScript, or LNK files to evade detection. The payloads include SmokeLoader, delivered using process injection, PowerShell, and legitimate system binaries, leading to C2 communication and payload execution. UAC-0006’s tactics, techniques, and procedures (TTPs) overlap with those of FIN7, indicating ties to Russian APT activity. 

Analysis 

Based on the sample attributes, we were able to find an active campaign being carried out by the threat actor. It’s a payment-themed phishing campaign targeting customers of Ukraine’s largest state-owned bank.

Payment-themed phishing campaign(Targeting Ukraine’s Largest State-Owned Bank)

The threat actors have been targeting PrivatBank’s customers since at least November 2024, with over two dozen distinct samples seen in the wild since then.

1. Phishing lure(SHA256): 5a0b48ccc1a353c4ace5e9626f17622611432a016577797d4c891ca945ffa7f8 (Privatbank_invoce_payment_20_12_2024.zip) drops 80c450570cd338a594546f9e6c189ffc2a849d3bac3759c53592af30840ffb90 (Платiжна iнструкция №187-ФГ вiд 19.12.2024p.pdf.js - translates to Payment instruction No. 187-FY dated 19.12.2024p.pdf.js)

‍

Translated text:

The account is valid for three banking days. In case of non-payment within three banking days, the amount will be changed.

Information for the Customer:

1. Reserve for components (materials) is kept for 5 days. Extension of the reserve period is possible

2. Electronic units, instrument panels and spare parts that were ordered individually, exchanged and returned

WARNING! Powers of attorney must be issued in accordance with Instruction No. 99 of May 15, 1996. In the case of the purchase of spare parts, including valuables. In the case of maintenance or repair of the car, it is not accepted to indicate the car model and registration number written on the amount.

‍‍

2. Phishing lure(SHA256): e0c57518aeef787bcf7cc13484486cfa48458bdf6b0baee02598e777a3ef83f2 (invoce2.pdf) drops ca90047f4c8b5c6628e38f11c1b3411ac8f0040a2d72e35c1a37de1d9a127131( Скан-копiя Власника.pdf.js - translates to Scan copy of the Owner.pdf.js) and dada50182ca98f75e0055f9b4a47d8ef3a6dda5c126cac309467c02257f3c1c0 (Скан-копiя Паспорт.vbs) - translates to Scanned copy of Passport.vbs)

‍

‍

Attack Flow

‍

‍

‍

1. The threat actor sends a phishing email with a password-protected zip/rar attachment. Archives are more likely to be password protected to evade email security checks.
2. A malicious javascript file, and a malicious VBScript are extracted from the archive. The 
3. The javascript performs process injection to wscript.exe, which in turn, runs an encoded powershell command.
4. The powershell command is meant to complete 2 tasks: 
   
   1. Firstly, it opens the PDF that was meant to be opened when the user downloaded and executed the attachment. 
   2. Secondly, it contacts SmokeLoader’s C2 servers to download and execute the final payload of the threat actor’s choice. 
5. More recently, we are starting to see UAC-0006 use an LNK lure in their phishing baits. When the .lnk file is executed, it runs powershell.exe with the specified command line arguments. This launches mshta.exe to retrieve and execute the file hosted on the C2 servers.

‍

Attribution

We have observed the following about the threat actors:

• They are fond of phishing lures with malicious capabilities.
• They just LOVE powershell.
• They have been persistently targeting the largest bank in Ukraine (Example - multiple phishing emails sent to Privatbank, Ukraine)

These attributes closely overlap with the profile of UAC-0006, a financially motivated threat actor group. Between 2023 and 2025, the threat actor group has started using LNKs and VBScripts in their phishing attack chain, in addition to what was publicly known according to the previous report. This highlights a TTP overlap with EmpireMonkey, a threat actor group that seems to be directly related to Carbanak, Anunak and/or FIN7. It is important to note that FIN7 is a Russian APT group with known ties to Black Basta ransomware group.

‍

‍

Impact

• Compromise of Sensitive Data: Victims of the phishing campaign risk disclosing sensitive personal or corporate data, including credentials, financial information, and organizational secrets, which can be exploited for further attacks or sold on underground markets.
• Credential Harvesting and Espionage: These phishing campaigns target individuals in key industries, potentially enabling espionage activities, unauthorized access to critical systems, and operational disruptions.
• Brand Damage and Mistrust: Companies impersonated in the phishing lures, such as CMIT Solutions, Soho Square Solutions, and Templar Protective Associates, face reputational harm, eroding trust among their clients and stakeholders.
• Supply Chain Risks: The impersonation of service providers and consultants increases the risk of downstream supply chain attacks, potentially impacting associated organizations and industries.

‍Mitigation

• Monitoring and Blocking: Proactively monitor and block malicious indicators using threat intelligence feeds to prevent access at the disk, DNS or network level.
• Incident Response and Reporting: Implement given yara rules based on internal thresholds. Establish robust incident response procedures to identify and contain phishing attempts quickly, and encourage employees and the community to report suspicious activities to facilitate takedown actions.
• Security Awareness Training: Educate employees, particularly those involved in hiring or HR roles, to recognize phishing attempts, such as unsolicited job-related emails from suspicious domains or unfamiliar contacts.

‍References

• *Intelligence source and information reliability - Wikipedia
• ^#Traffic Light Protocol - Wikipedia

‍Appendix

MITRE Mapping

‍

‍

Indicators of Compromise

‍

‍

rule Detect_Obfuscated_PowerShell_AES_Decryption {
    meta:
        author = "CloudSEK TRIAD"
        description = "Detects obfuscated PowerShell execution with AES decryption techniques"
        date = "2025-01-28"
        threat_actor = "Unknown"
        ttp = "Obfuscated PowerShell with AES decryption"

    strings:
        $powershell_flags = "-w 1 -ep Unrestricted -nop"
        $split_obfuscation = "return -split"
        $aes_create = "[Security.Cryptography.Aes]::Create()"
        $decryptor = ".CreateDecryptor("
        $transform_final_block = ".TransformFinalBlock("
        $char_array_join = "-join [char[]]"
        $custom_function_start = "function "
        $hex_processing = "-replace '..', '0x$& '"

    condition:
        uint16(0) == 0x5a4d and
        (
            all of ($powershell_flags, $split_obfuscation) or
            all of ($aes_create, $decryptor, $transform_final_block) or
            all of ($custom_function_start, $hex_processing)
        )
}

rule Detect_PowerShell_TTP_JS_PDF_Lure {
    meta:
        description = "Detects malicious PowerShell TTP triggered from .js in phishing PDF lures"
        author = "CloudSEK TRIAD"
        date = "2025-01-28"
        reference = "Threat intelligence analysis"
        tags = ["PowerShell", "phishing", "TTP", "malware", "PDF", "JS"]

    strings:
        $powershell_flags = "-w 1 -ep Unrestricted -nop"
        $function_def_bdhOG = "function bdhOG"
        $function_def_ujddZ = "function ujddZ"
        $aes_create = "([Security.Cryptography.Aes]::Create()).CreateDecryptor"
        $wscript_call = /"WScript\.exe" called "CreateProcessW" with parameter/i
        $embedded_js = /.*<\/script>/is

    condition:
        1 of ($powershell_flags, $function_def_bdhOG, $function_def_ujddZ, $aes_create) and
        $wscript_call and
        $embedded_js
}