3 December 2024

Sophisticated SmokeLoader campaign targets Taiwanese industries


Sophisticated SmokeLoader campaign targets Taiwanese industries

A new malware campaign leveraging SmokeLoader has been detected, targeting Taiwanese companies in the manufacturing, healthcare, and IT sectors.

FortiGuard Labs uncovered the attack in September 2024, observing a shift in how SmokeLoader is deployed, directly executing its payloads instead of acting as a downloader.

The campaign begins with phishing emails crafted in local languages to increase credibility. These emails feature copied text from legitimate communications but contain subtle formatting inconsistencies. Emails contain documents exploiting vulnerabilities in Microsoft Office, specifically CVE-2017-0199 and CVE-2017-11882. The exploits deliver an initial malware stage, AndeLoader, which subsequently deploys SmokeLoader.

SmokeLoader s known for its evasion techniques and modular architecture, which modularity allows it to download and execute plugins tailored for specific tasks.

In the observed attack, nine distinct plugins have been observed designed to extract saved credentials and autofill data from popular browsers like Chrome, Firefox, and Edge; retrieve sensitive data from emails clients such as Outlook and Thunderbird; delete browser cookies to disrupt user sessions; inject malicious code into legitimate processes, evading detection;collect data from FTP software and other applications; identify vulnerable devices within the network; record keystrokes and maintai connection to its command-and-control server (C2).

“In this case, SmokeLoader performs its attack with its plugins instead of downloading a completed file for the final stage. This shows the flexibility of SmokeLoader and emphasizes that analysts need to be careful even when looking at well-known malware like this,” the researchers noted.

Back to the list

Latest Posts

Cybersecurity Week in Review: January 24, 2025

Cybersecurity Week in Review: January 24, 2025

In brief: SonicWall SMA zero-day exploited in attacks, hackers are exploiting older Ivanti flaws, and more.
24 January 2025
AIRASHI DDoS botnet exploits a zero-day vulnerability in cnPilot routers

AIRASHI DDoS botnet exploits a zero-day vulnerability in cnPilot routers

The attacks have been active since June 2024.
23 January 2025
SonicWall SMA zero-day exploited in attacks

SonicWall SMA zero-day exploited in attacks

SonicWall has released a patch in version 12.4.3-02854 and higher versions to address the issue.
23 January 2025