SmokeLoader Malware Resurfaces, Targeting Manufacturing and IT in Taiwan
Summary:
In September 2024, Fortinet researchers observed a sophisticated phishing attack that utilized SmokeLoader malware to target organizations in Taiwan. SmokeLoader is notorious for conducting attacks against manufacturing, healthcare, information technology, and other critical sectors. SmokeLoader’s advanced evasion techniques and modular design allow it to excel in various use cases. As the name implies this malware primarily serves as a downloader to deliver secondary payloads. However, in the activity recently discovered by Fortinet, SmokeLoader carries out the attack alone by downloading malicious plugins from its C2 server.
This latest SmokeLoader attack chain begins with a phishing email containing an Excel attachment that leverages CVE-2017-0199 and CVE-2017-11882 as initial access vectors to deploy another loader malware called Ande Loader, which is used to subsequently deploy SmokeLoader on the compromised system (host?). SmokeLoader consists of two components: a stager and a main module. The stager is designed to decrypt, decompress, and inject the main module into an explorer.exe process while the main module is responsible for establishing persistence, communicating with the C2 infrastructure, and processing commands. The main module communicates with the C2 server to potentially download 6 unique malicious plugins. The plugins’ capabilities include a wide range of information theft and credential harvesting.
Security Officer Comments:
A notable aspect of these SmokeLoader attacks is the array of malicious plugins, highlighting the modular nature of Smokeloader. This allows it to perform extensive credential harvesting using a toolkit of malware on compromised endpoints despite the malware’s loader design. This loader malware’s flexibility and targeted phishing emails emphasizes that analysts must be extra vigilant when addressing SmokeLoader campaigns. Phishing emails that use persuasive language can cause victims to feel a sense of urgency. Verifying the sender’s identity and the contents of the phishing attempt before taking action is critical for employees. Organizations must reinforce a commitment comprehensive security posture that emphasizes social engineering training.
Suggested Corrections:
IOCs are available here.
The increase in remote work has increased reliance on email as a vital communication mechanism. These conditions thereby also increase the risk of personnel being targeted by phishing or spam attacks, and thus ransomware and other malware infections. Users should adhere to the following recommendations:
https://www.bleepingcomputer.com/news/security/novel-phising-campaign-uses-corrupted-word-documents-to-evade-security/
https://www.fortinet.com/blog/threat-research/sophisticated-attack-targets-taiwan-with-smokeloader
In September 2024, Fortinet researchers observed a sophisticated phishing attack that utilized SmokeLoader malware to target organizations in Taiwan. SmokeLoader is notorious for conducting attacks against manufacturing, healthcare, information technology, and other critical sectors. SmokeLoader’s advanced evasion techniques and modular design allow it to excel in various use cases. As the name implies this malware primarily serves as a downloader to deliver secondary payloads. However, in the activity recently discovered by Fortinet, SmokeLoader carries out the attack alone by downloading malicious plugins from its C2 server.
This latest SmokeLoader attack chain begins with a phishing email containing an Excel attachment that leverages CVE-2017-0199 and CVE-2017-11882 as initial access vectors to deploy another loader malware called Ande Loader, which is used to subsequently deploy SmokeLoader on the compromised system (host?). SmokeLoader consists of two components: a stager and a main module. The stager is designed to decrypt, decompress, and inject the main module into an explorer.exe process while the main module is responsible for establishing persistence, communicating with the C2 infrastructure, and processing commands. The main module communicates with the C2 server to potentially download 6 unique malicious plugins. The plugins’ capabilities include a wide range of information theft and credential harvesting.
Security Officer Comments:
A notable aspect of these SmokeLoader attacks is the array of malicious plugins, highlighting the modular nature of Smokeloader. This allows it to perform extensive credential harvesting using a toolkit of malware on compromised endpoints despite the malware’s loader design. This loader malware’s flexibility and targeted phishing emails emphasizes that analysts must be extra vigilant when addressing SmokeLoader campaigns. Phishing emails that use persuasive language can cause victims to feel a sense of urgency. Verifying the sender’s identity and the contents of the phishing attempt before taking action is critical for employees. Organizations must reinforce a commitment comprehensive security posture that emphasizes social engineering training.
Suggested Corrections:
IOCs are available here.
The increase in remote work has increased reliance on email as a vital communication mechanism. These conditions thereby also increase the risk of personnel being targeted by phishing or spam attacks, and thus ransomware and other malware infections. Users should adhere to the following recommendations:
- Do not open emails or download software from untrusted sources.
- Do not click on links or attachments in emails that come from unknown senders.
- Do not supply passwords, personal information, or financial information via email to anyone (sensitive information is also used for double extortion).
- Always verify the email sender's email address, name, and domain.
- Backup important files frequently and store them separately from the main system.
- Protect devices using antivirus, anti-spam, and anti-spyware software.
- Report phishing emails to the appropriate security or IT staff immediately.
https://www.bleepingcomputer.com/news/security/novel-phising-campaign-uses-corrupted-word-documents-to-evade-security/
https://www.fortinet.com/blog/threat-research/sophisticated-attack-targets-taiwan-with-smokeloader