A recent cybercrime campaign targeting Taiwanese companies has caught the attention of security experts, as threat actors have been using phishing emails and exploiting long-standing vulnerabilities to distribute SmokeLoader malware. What makes this campaign unique is that the threat actors are utilizing plugins for SmokeLoader directly to compromise systems, rather than using SmokeLoader as a loader for other types of malware.
According to FortiGuard Labs, the campaign was first identified in September and primarily targeted organizations in the manufacturing, healthcare, and information technology sectors. The phishing emails used in the campaign were crafted in native Chinese language to deceive recipients into downloading SmokeLoader. However, the exact number of victims impacted by this campaign remains unknown.
SmokeLoader, a Trojan variant that has been active since 2011, is notorious for its deceptive tactics and self-protection mechanisms. Apart from loading additional malware, SmokeLoader also comes equipped with plugins for information exfiltration. Financially motivated hackers have frequently been associated with the use of SmokeLoader, with Ukrainian cyber defenders reporting multiple instances of its use.
Once a system becomes infected with SmokeLoader, the malware is capable of leaking an employee’s login credentials, providing attackers with access to internal company data. This compromised account can then be used to spread the malware further within the organization. SmokeLoader is modular malware, allowing threat actors to execute various malicious tasks through plugins or modules.
The SmokeLoader campaign observed by FortiGuard began with phishing emails disguised as price quotes. Recipients who opened the malicious Office document attached to these emails initiated the infection chain, resulting in the deployment of SmokeLoader via an initial VBS file. Once active, SmokeLoader downloads a range of plugins that target various applications and tools, including web browsers, email clients, and file transfer utilities.
The malware takes advantage of outdated security vulnerabilities, specifically CVE-2017-0199 and CVE-2017-11882, to automatically download and execute the initial loader. To evade detection, the attackers employ multiple layers of obfuscation, including unnecessary code within VBS files and steganographic techniques to hide data within image files.
The plugins used by SmokeLoader extract sensitive information such as login credentials, autofill data, and cookies from popular browsers like Chrome, Firefox, and Edge. They also target credentials stored in Microsoft Outlook and FTP clients. Additionally, some plugins are tailored for specific tasks, with variations designed for 64-bit systems, email metadata extraction, and browser injection.
To ensure persistence on infected systems, the plugins modify registry keys and inject themselves into system processes like explorer.exe. This allows them to resume activity even after system reboots. In one observed instance, researchers witnessed SmokeLoader downloading nine distinct plugins, each tailored for specific tasks and architectures.
Overall, the SmokeLoader campaign targeting Taiwanese companies highlights the evolving tactics of threat actors in the cybercrime landscape. Organizations are advised to remain vigilant against phishing attacks, regularly update their security measures, and conduct thorough security assessments to detect and mitigate potential threats.