A sophisticated cyberattack using the SmokeLoader malware targeted multiple industries in Taiwan in September 2024, new research from FortiGuard Labs has revealed.
SmokeLoader is notorious for its versatility, advanced evasion techniques, and modular design, which allow it to perform a wide range of attacks. Attackers have traditionally used SmokeLoader as a downloader to deliver other malware; in this case, it carries out the attack itself by downloading plugins from its C2 server.
Impacted industries include manufacturing, healthcare, and information technology.
Launching the Attack
Attackers initiated the attack using phishing emails, which, despite containing convincing, localized language, were sent to multiple recipients with largely the same content and formatting inconsistencies.
Once recipients opened the attached files, attackers exploited vulnerabilities in Microsoft Office – such as CVE-2017-0199 and CVE-2017-11882 – to deliver SmokeLoader through a series of obfuscated scripts and payloads.
SmokeLoader then utilized plugins downloaded from its command-and-control (C2) server to steal sensitive data, including login credentials, cookies, autofill information, and email addresses.
Advanced Techniques and Plugins
The attack demonstrates SmokeLoader’s increasing versatility and ability to evade detection. In this attack, the malware used plugins to target specific processes such as browsers, email clients, and file transfer software. Key plugins included:
- Credential Theft: Extracting passwords and cookies from browsers like Chrome, Firefox, and Edge, as well as email clients like Outlook.
- Data Injection and Hooking: Embedding malicious code in target applications to monitor and steal data.
- Keylogging: Logging user input from infected systems.
Of particular note is SmokeLoader’s ability to inject code into running processes, using sophisticated methods like creating suspended processes and modifying memory directly.
Broader Implications
The SmokeLoader attacks underscore the increasing threat posed by the malware. Its modular design allows attackers to tailor SmokerLoader to different attack scenarios, as illustrated by the malware’s evolution from merely a downloader for other malware. As such, we will likely see more of SmokeLoader in the coming months.
Recommendations
To protect against SmokeLoader attacks, Fortinet recommends an increased focus on security awareness training, regular software updates, robust endpoint protections, and email filtering.
About the Author
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
