Taiwanese entities in manufacturing, healthcare, and knowledge expertise sectors have change into the goal of a brand new marketing campaign distributing the SmokeLoader malware.
“SmokeLoader is well-known for its versatility and superior evasion strategies, and its modular design permits it to carry out a variety of assaults,” Fortinet FortiGuard Labs mentioned in a report shared with The Hacker Information.
“Whereas SmokeLoader primarily serves as a downloader to ship different malware, on this case, it carries out the assault itself by downloading plugins from its [command-and-control] server.”
SmokeLoader, a malware downloader first marketed in cybercrime boards in 2011, is mainly designed to execute secondary payloads. Moreover, it possesses the aptitude to obtain extra modules that increase its personal performance to steal information, launch distributed denial-of-service (DDoS) assaults, and mine cryptocurrency.
“SmokeLoader detects evaluation environments, generates faux community site visitors, and obfuscates code to evade detection and hinder evaluation,” an intensive evaluation of the malware by Zscaler ThreatLabz famous.
“The builders of this malware household have constantly enhanced its capabilities by introducing new options and using obfuscation strategies to impede evaluation efforts.”
SmokeLoader exercise suffered a serious decline following Operation Endgame, a Europol-led effort that took down infrastructure tied to a number of malware households similar to IcedID, SystemBC, PikaBot, SmokeLoader, Bumblebee, and TrickBot in late Might 2024.
As many as 1,000 C2 domains linked to SmokeLoader have been dismantled, and greater than 50,000 infections have been remotely cleaned. That having mentioned, the malware continues for use by risk teams to distribute payloads by new C2 infrastructure.
This, per Zscaler, is basically as a consequence of quite a few cracked variations publicly out there on the web.
The place to begin of the most recent assault chain found by FortiGuard Labs is a phishing e mail containing a Microsoft Excel attachment that, when launched, exploits years-old safety flaws (e.g., CVE-2017-0199 and CVE-2017-11882) to drop a malware loader known as Ande Loader, which is then used to deploy SmokeLoader on the compromised host.
SmokeLoader consists of two parts: a stager and a predominant module. Whereas the stager’s goal is to decrypt, decompress, and inject the principle module into an explorer.exe course of, the principle module is accountable for establishing persistence, speaking with the C2 infrastructure, and processing instructions.
The malware helps a number of plugins that may steal login and FTP credentials, e mail addresses, cookies, and different info from internet browsers, Outlook, Thunderbird, FileZilla, and WinSCP.
“SmokeLoader performs its assault with its plugins as an alternative of downloading a accomplished file for the ultimate stage,” Fortinet mentioned. “This reveals the pliability of SmokeLoader and emphasizes that analysts have to be cautious even when taking a look at well-known malware like this.”