Taiwanese entities in manufacturing, healthcare, and knowledge know-how sectors have change into the goal of a brand new marketing campaign distributing the SmokeLoader malware.
“SmokeLoader is well-known for its versatility and superior evasion strategies, and its modular design permits it to carry out a variety of assaults,” Fortinet FortiGuard Labs mentioned in a report shared with The Hacker Information.
“Whereas SmokeLoader primarily serves as a downloader to ship different malware, on this case, it carries out the assault itself by downloading plugins from its [command-and-control] server.”
SmokeLoader, a malware downloader first marketed in cybercrime boards in 2011, is mainly designed to execute secondary payloads. Moreover, it possesses the potential to obtain extra modules that increase its personal performance to steal knowledge, launch distributed denial-of-service (DDoS) assaults, and mine cryptocurrency.
“SmokeLoader detects evaluation environments, generates pretend community site visitors, and obfuscates code to evade detection and hinder evaluation,” an intensive evaluation of the malware by Zscaler ThreatLabz famous.
“The builders of this malware household have constantly enhanced its capabilities by introducing new options and using obfuscation strategies to impede evaluation efforts.”
SmokeLoader exercise suffered a serious decline following Operation Endgame, a Europol-led effort that took down infrastructure tied to a number of malware households similar to IcedID, SystemBC, PikaBot, SmokeLoader, Bumblebee, and TrickBot in late Might 2024.
As many as 1,000 C2 domains linked to SmokeLoader have been dismantled, and greater than 50,000 infections have been remotely cleaned. That having mentioned, the malware continues for use by menace teams to distribute payloads via new C2 infrastructure.
This, per Zscaler, is basically as a result of quite a few cracked variations publicly accessible on the web.
The place to begin of the most recent assault chain found by FortiGuard Labs is a phishing e-mail containing a Microsoft Excel attachment that, when launched, exploits years-old safety flaws (e.g., CVE-2017-0199 and CVE-2017-11882) to drop a malware loader known as Ande Loader, which is then used to deploy SmokeLoader on the compromised host.
SmokeLoader consists of two parts: a stager and a essential module. Whereas the stager’s function is to decrypt, decompress, and inject the primary module into an explorer.exe course of, the primary module is answerable for establishing persistence, speaking with the C2 infrastructure, and processing instructions.
The malware helps a number of plugins that may steal login and FTP credentials, e-mail addresses, cookies, and different data from internet browsers, Outlook, Thunderbird, FileZilla, and WinSCP.
“SmokeLoader performs its assault with its plugins as a substitute of downloading a accomplished file for the ultimate stage,” Fortinet mentioned. “This exhibits the pliability of SmokeLoader and emphasizes that analysts have to be cautious even when well-known malware like this.”
