Recently, the SmokeLoader malware has re-emerged, targeting key industries in Taiwan, including manufacturing, healthcare, and information technology. This latest threat highlights the malware's capacity to conduct complex attacks through its modular design.

Fortinet FortiGuard Labs reports that SmokeLoader is exploiting its flexibility to execute attacks autonomously by downloading additional plugins through its command-and-control (C2) servers.

Initially introduced in 2011, SmokeLoader primarily serves as a downloader for other malware, but it also enhances its capabilities to steal data, initiate DDoS attacks, and mine cryptocurrency.

Zscaler ThreatLabz emphasizes SmokeLoader's ability to evade detection through sophisticated techniques such as fake network traffic generation and code obfuscation.

Although Operation Endgame, led by Europol in May 2024, disrupted SmokeLoader's operations, the malware continues to be used by cybercriminals due to the availability of cracked versions online.

Attack Methodology

The recent campaign began with phishing emails containing malicious Microsoft Excel attachments. These attachments exploit well-known security vulnerabilities (e.g., CVE-2017-0199, CVE-2017-11882) to deploy Ande Loader, which subsequently installs SmokeLoader on compromised systems.

SmokeLoader integrates two main components: a stager and a main module. The stager decrypts and injects the main module into the explorer.exe process, enabling it to maintain persistence and establish C2 communications.

Capabilities and Implications

The malware supports numerous plugins capable of extracting login credentials, email information, and browser data from applications like Outlook, Thunderbird, and FileZilla.

According to Fortinet, SmokeLoader now leverages its plugins for attacks instead of downloading discrete payloads, showcasing its adaptability and the necessity for vigilance even when dealing with familiar threats.

The link has been copied!