Taiwanese entities in manufacturing, healthcare, and data expertise sectors have develop into the goal of a brand new marketing campaign distributing the SmokeLoader malware.
“SmokeLoader is well-known for its versatility and advanced evasion techniques, and its modular design allows it to perform a wide range of attacks,” Fortinet FortiGuard Labs mentioned in a report shared with The Hacker Information.
“While SmokeLoader primarily serves as a downloader to deliver other malware, in this case, it carries out the attack itself by downloading plugins from its [command-and-control] server.”
SmokeLoader, a malware downloader first marketed in cybercrime boards in 2011, is mainly designed to execute secondary payloads. Moreover, it possesses the aptitude to obtain extra modules that increase its personal performance to steal information, launch distributed denial-of-service (DDoS) assaults, and mine cryptocurrency.
“SmokeLoader detects analysis environments, generates fake network traffic, and obfuscates code to evade detection and hinder analysis,” an in depth evaluation of the malware by Zscaler ThreatLabz famous.
“The developers of this malware family have consistently enhanced its capabilities by introducing new features and employing obfuscation techniques to impede analysis efforts.”
SmokeLoader exercise suffered a significant decline following Operation Endgame, a Europol-led effort that took down infrastructure tied to a number of malware households comparable to IcedID, SystemBC, PikaBot, SmokeLoader, Bumblebee, and TrickBot in late Might 2024.
As many as 1,000 C2 domains linked to SmokeLoader have been dismantled, and greater than 50,000 infections have been remotely cleaned. That having mentioned, the malware continues for use by risk teams to distribute payloads by new C2 infrastructure.
This, per Zscaler, is essentially attributable to quite a few cracked variations publicly accessible on the web.
The place to begin of the most recent assault chain found by FortiGuard Labs is a phishing e mail containing a Microsoft Excel attachment that, when launched, exploits years-old safety flaws (e.g., CVE-2017-0199 and CVE-2017-11882) to drop a malware loader known as Ande Loader, which is then used to deploy SmokeLoader on the compromised host.
SmokeLoader consists of two elements: a stager and a major module. Whereas the stager’s objective is to decrypt, decompress, and inject the primary module into an explorer.exe course of, the primary module is chargeable for establishing persistence, speaking with the C2 infrastructure, and processing instructions.
The malware helps a number of plugins that may steal login and FTP credentials, e mail addresses, cookies, and different info from net browsers, Outlook, Thunderbird, FileZilla, and WinSCP.
“SmokeLoader performs its attack with its plugins instead of downloading a completed file for the final stage,” Fortinet mentioned. “This shows the flexibility of SmokeLoader and emphasizes that analysts need to be careful even when looking at well-known malware like this.”
