Summary:
In September 2024, FortiGuard Labs reported an attack involving SmokeLoader malware targeting various sectors in Taiwan. SmokeLoader’s advanced evasion techniques and modular design allow it to execute a range of attacks, primarily serving as a downloader for other malware. The attack utilized phishing emails and exploited vulnerabilities in Microsoft Office to deliver the malicious payload. The severity of the attack is classified as high due to the potential for stolen information to be used in future attacks.
#SmokeLoader #PhishingAttack #MalwareEvasion
In September 2024, FortiGuard Labs reported an attack involving SmokeLoader malware targeting various sectors in Taiwan. SmokeLoader’s advanced evasion techniques and modular design allow it to execute a range of attacks, primarily serving as a downloader for other malware. The attack utilized phishing emails and exploited vulnerabilities in Microsoft Office to deliver the malicious payload. The severity of the attack is classified as high due to the potential for stolen information to be used in future attacks.
#SmokeLoader #PhishingAttack #MalwareEvasion
Keypoints:
SmokeLoader malware targets companies in Taiwan across multiple sectors.
The attack was initiated through phishing emails containing malicious attachments.
Two vulnerabilities in Microsoft Office (CVE-2017-0199 and CVE-2017-11882) were exploited to execute the malware.
The malware downloads plugins from its command and control (C2) server to perform various malicious activities.
SmokeLoader is capable of stealing sensitive information such as login credentials and cookies from multiple applications.
FortiGuard Antivirus detects and blocks the malware effectively.
Organizations are encouraged to undergo training to identify and protect against phishing attacks.
MITRE Techniques
Phishing (T1566): Utilizes deceptive emails to trick users into downloading malicious files.
Remote Code Execution (T1203): Exploits vulnerabilities in Microsoft Office to execute malicious code.
Command and Control (T1071): Communicates with compromised systems to download additional payloads.
Credential Dumping (T1003): Extracts sensitive information such as login credentials from browsers and email clients.
Process Injection (T1055): Injects malicious code into legitimate processes to evade detection.
Data Encrypted (T1041): Uses encryption to protect the payload and communication with the C2 server.
IoC:
[IP] 198.23.188.147
[File Hash] 3e523ed80dbb592b1ff8c3345c3cd231ddd5a06e1af4c7b7d1f7f81249d0c4a3ad657479d9f6322daba65638523d65631ff83ba5a717261acb5a53fd48e522098dc06fdc2897d7c3438105ea0a39d2074774f80e051007fe7799b8195580ad2ffbe226dd0130c3c0c4db9d125cd25eca3c8e310dae8127d15c8be18041d41cd6392d201120936c1f0e77bdb4b490f2825c1e6f584f18055c742b36250f89566be29c269a4c3ee4bbd673bfe0d24ca7d131d9221607e26a60989e81d8ffc1709500874ab2a91433dfbfdc9ee6ade6173f3280737fc81505504ace11273f6406101a1c8cdac1c3cbae5f1140e850ee06b414259876dab97152669f7c0f93469b135dc92a6ed1ef2a5d9cf2a112532ad2c9fd70bff727e4cb60cd5d9c4966f2f77fa334ba0d8ac0676d09e41aa273589ee27338c44a09109a4d5defa45f1d9bd82b35e55053bed6b3c1027a3e7c140e67303e01e8fcbf42abac27b8e9df2a090ee3858d26e697bc60b642e5d92922b625f58532fc06f028962d8add5fa497981f337f9909677c290b98541be176251eca34b9f3d36555669a2639130adb97ca6958f4b16c3f8bff445fdcd9d7edb5883d20d7663c3744e137439fa961736d0a9471fb6ef14ac4cebf87f937f15553575f0f62ac62df917b490f602025a0985addd19dea895b5b1c03caa2b838b8def4e082392851325794c3bd2eb5ca7372d8e09ccfe7f6c1c0560bd56cd2df856d459b7fe7fd63b2f635c35151f61d4d04ce4162
[File Hash] a4ec792538455fb56f0b89ae10ddd0b2504afba092ba5cfa2083cf61b5fac0efcb92d320fc9bc674e8d37ceeebf0363f8e96dd67ef4ef543b3348f96ef567e5feb8381b156aad734ef3a0328b4985ed1edeca1c8d79d66e094598f8c6992ac71e3e7a3d0ba55b8dbbe3633b1dad0a3bbf4eada72dd8df3f7b1bc76a692862f23ea3b07a2356a7bfb92144f621ba551677a138c31d684072d69a4d37c1a378bb37ab20d40431b990a9a44e96dc53519f0af72eaf56c4b20f8995f95a48039bf67bdb897e6a8bfc21302ae1ac254b1b2e779684fe75b2b824cb24c80c775898940
[File Hash] f7544f07b4468e38e36607b5ac5b3835eac1487e7d16dd52ca882b3d021c19b6
Full Research: https://feeds.fortinet.com/~/908739068/0/fortinet/blog/threat-research~SmokeLoader-Attack-Targets-Companies-in-Taiwan