### #SmokeLoaderThreat #TaiwaneseCyberAttacks #ModularMalware
Summary: A sophisticated malware campaign utilizing SmokeLoader has been detected, specifically targeting Taiwanese companies in the manufacturing, healthcare, and IT sectors. This campaign employs advanced evasion techniques and exploits vulnerabilities in Microsoft Office to execute its payloads directly.
Threat Actor: Unknown | unknown
Victim: Taiwanese Companies | Taiwanese Companies
Key Point :
- The campaign begins with phishing emails that trick recipients into opening malicious attachments, often containing subtle formatting inconsistencies.
- Exploited vulnerabilities in Microsoft Office (CVE-2017-0199 and CVE-2017-11882) allow the initial malware stages to be delivered.
- SmokeLoader’s modularity enables the deployment of nine distinct plugins for various malicious tasks, including credential theft and code injection.
- Defensive measures recommended include keeping antivirus signatures updated, phishing awareness training, and implementing content disarm and reconstruction (CDR) services.
A sophisticated malware campaign leveraging SmokeLoader has been observed targeting Taiwanese companies across manufacturing, healthcare and IT sectors.
SmokeLoader, a modular malware known for its adaptability and evasion techniques, is being used in this attack to directly execute its payloads rather than serving as a downloader for other malicious software.
Key Attack Stages
Identified by FortiGuard Labs, the campaign begins with phishing emails designed to trick recipients into opening malicious attachments. These emails, written in local languages and featuring copied text for authenticity, often include subtle formatting inconsistencies that could signal their fraudulent nature.
Once opened, the attachments exploit vulnerabilities in Microsoft Office, specificallyCVE-2017-0199 and CVE-2017-11882, allowing attackers to deliver the initial malware stages. Through these vulnerabilities, the malware executes the AndeLoader, which prepares the final deployment of SmokeLoader itself.
SmokeLoader’s modularity is central to this attack. It deploys nine distinct plugins, each with specialized tasks like stealing credentials, clearing cookies and injecting code into processes.
Notably, these plugins target popular browsers, email clients and FTP software to gather sensitive data. For instance, one plugin extracts credentials and autofill data from Chrome, Firefox and Edge, while another retrieves email information from Outlook and Thunderbird.
Read more on phishing attacks targeting browsers: Browser Phishing Threats Grew 198% Last Year
Defensive Measures
FortiGuard Labs highlighted multiple defensive measures to tackle threats such as SmokeLoader:
-
Antivirus protection: Keeping antivirus signatures up to date helps detect and block malware effectively
-
Phishing awareness training: Organizations are encouraged to take advantage of free resources for information security awareness training
-
Content disarm and reconstruction (CDR): Implementing CDR services can neutralize malicious macros embedded in documents
“SmokeLoader is a modular malware that is adaptable to different needs,” Fortinet explained. “In this case, SmokeLoader performs its attack with its plugins instead of downloading a completed file for the final stage. This shows the flexibility of SmokeLoader and emphasizes that analysts need to be careful even when looking at well-known malware like this.”
Source: https://www.infosecurity-magazine.com/news/smokeloader-malware-taiwan