A new malware campaign leveraging SmokeLoader has been detected, targeting Taiwanese companies in the manufacturing, healthcare, and IT sectors.
FortiGuard Labs uncovered the attack in September 2024, observing a shift in how SmokeLoader is deployed, directly executing its payloads instead of acting as a downloader.
The campaign begins with phishing emails crafted in local languages to increase credibility. These emails feature copied text from legitimate communications but contain subtle formatting inconsistencies. Emails contain documents exploiting vulnerabilities in Microsoft Office, specifically CVE-2017-0199 and CVE-2017-11882. The exploits deliver an initial malware stage, AndeLoader, which subsequently deploys SmokeLoader.
SmokeLoader s known for its evasion techniques and modular architecture, which modularity allows it to download and execute plugins tailored for specific tasks.
In the observed attack, nine distinct plugins have been observed designed to extract saved credentials and autofill data from popular browsers like Chrome, Firefox, and Edge; retrieve sensitive data from emails clients such as Outlook and Thunderbird; delete browser cookies to disrupt user sessions; inject malicious code into legitimate processes, evading detection;collect data from FTP software and other applications; identify vulnerable devices within the network; record keystrokes and maintai connection to its command-and-control server (C2).
“In this case, SmokeLoader performs its attack with its plugins instead of downloading a completed file for the final stage. This shows the flexibility of SmokeLoader and emphasizes that analysts need to be careful even when looking at well-known malware like this,” the researchers noted.