A new campaign targeting Taiwan’s manufacturing, healthcare, and IT sectors has been distributing SmokeLoader malware. This malware is known for its versatility and advanced evasion capabilities, making it a significant threat.
First appearing on cybercrime forums in 2011, SmokeLoader primarily functions as a downloader for other malware. However, it can also carry out direct attacks using plugins downloaded from its command-and-control (C2) servers. These plugins enable the malware to steal sensitive data, conduct distributed denial-of-service (DDoS) attacks, and mine cryptocurrency.
According to a report, SmokeLoader uses several advanced techniques to avoid detection. For example, it generates fake network traffic, detects analysis environments, and employs obfuscation to hinder investigations. Over the years, developers have continued to enhance its capabilities, making it more challenging to analyze and mitigate.
The malware saw reduced activity after Operation Endgame, a Europol-led initiative in May 2024. This operation dismantled over 1,000 C2 domains linked to SmokeLoader and other malware families, removing over 50,000 infections. Despite this, threat actors continue to use SmokeLoader by leveraging new C2 infrastructures and publicly available cracked versions.
The latest attack chain begins with phishing emails. These emails include Microsoft Excel attachments that exploit old vulnerabilities, such as CVE-2017-0199 and CVE-2017-11882. When opened, the files execute Ande Loader, a malware loader that deploys SmokeLoader on compromised systems.
SmokeLoader’s modular design consists of two main components: the stager and the main module. The stager decrypts and injects the main module into system processes, establishing persistence and enabling communication with its C2 infrastructure. Once active, the malware uses plugins to harvest login credentials, cookies, email addresses, and data from applications like Outlook and FileZilla.
To reduce the risk of SmokeLoader infections, organizations should prioritize email security and user awareness training. Avoid opening unsolicited email attachments, especially from unknown senders. Regularly update software to patch vulnerabilities and employ advanced endpoint protection tools to detect and block malicious activities.