The notorious SmokeLoader malware has been identified targeting firms in Taiwan, including those in manufacturing, healthcare, information technology, and other industries.
SmokeLoader is renowned for its adaptability and sophisticated evasion strategies, and it can carry out a variety of attacks due to its modular structure.
In this case, SmokeLoader performs the attack directly by downloading plugins from its C2 server that retrieve cookies, autofill information, email addresses, and login credentials from popular browsers.
FortiGuard Labs’ research indicates that the attacks originated with phishing emails that contained malicious attachments intended to exploit the doc (CVE 2017-11882) and XLS (CVE 2017-0199) vulnerabilities.
Free Webinar on Best Practices for API vulnerability & Penetration Testing: Free Registration
Overview Of The Phishing Campaign
This campaign employed a phishing email in which the sender contains a series of special instructions and says the malicious file attached is a quotation.
Although the use of native words and phrases makes this email attractive, phishing emails are distributed to several recipients with nearly identical content.
When forwarded to different companies, not even the recipient’s name (the redaction in the file name) is altered.
Furthermore, the phone number and email sign-off have a different font and color than the body, which raises the possibility that the text was copied.
In the third phase, a VBS file launches the malware loader, AndeLoader, and the same SmokeLoader file serves as the final payload.
A Microsoft Office vulnerability identified as CVE-2017-0199 takes use of an OLE2-embedded link object.
When the victim opens the crafted file, a malicious document is downloaded and executed. The harmful link is hidden in a sheet, and the file that is attached to the phishing email is protected.
The equation editor in Microsoft Office has an RCE (Remote Code Execution) vulnerability identified as CVE 2017-11882. Both encrypted data and a decryption algorithm are present in the shellcode.
Following decryption, the shellcode obtains the required APIs and uses the URLDownloadToFile method to download the VBS file for the following step.
The HTA file contains VBS code that has been encoded using URL-encoding several times. Following decoding, a VBS script is discovered with several spaces between symbols and variables.
The VBS script runs a PowerShell snippet that downloads AndeLoader’s VBS file. The C2 server sends nine plugins, including three individual plugins and three plugins in 32-bit and 64-bit versions.
The design of the plugin states that SmokeLoader progressively injects these plugins into explorer.exe using a loop. The malware is compatible with a number of plugins that retrieve cookies, autofill information, and login credentials from Chrome, Firefox, and Edge.
Additionally, it collects login credentials from FTP clients like FileZilla and WinSCP as well as Microsoft Outlook.
Following Operation Endgame, a Europol-led initiative that destroyed infrastructure connected to multiple malware families, including SmokeLoader in late May 2024, the malware activity significantly decreased.
Nevertheless, in this case, SmokeLoader uses new tactics such as plugins to carry out its attack rather than downloading a completed file for the final stage.
This demonstrates SmokeLoader’s versatility and underscores the importance of caution even when dealing with this well-known malware.
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar