A recent malware campaign utilizing SmokeLoader has been detected targeting various Taiwanese companies in sectors such as manufacturing, healthcare, and IT. SmokeLoader, a sophisticated modular malware known for its ability to adapt and evade detection, is playing a central role in this cyberattack by directly executing its malicious payloads instead of acting as a downloader for other malware strains.
The attack follows a specific pattern, as identified by FortiGuard Labs. It commences with phishing emails meticulously crafted to deceive recipients into opening malicious attachments. These emails, crafted in local languages and incorporating copied text elements to appear genuine, often contain subtle formatting discrepancies that could give away their malicious intent.
Upon opening the attachments, the malware exploits vulnerabilities within Microsoft Office, particularly CVE-2017-0199 and CVE-2017-11882, to deliver the initial stages of the malware. Through these security flaws, AndeLoader is executed, laying the groundwork for the deployment of SmokeLoader itself.
The modular nature of SmokeLoader is a key aspect of this attack. It deploys nine different plugins, each with specialized functions such as stealing credentials, erasing cookies, and injecting code into processes. These plugins specifically target popular browsers, email clients, and FTP software to extract sensitive data. For example, one plugin focuses on extracting credentials and autofill data from Chrome, Firefox, and Edge, while another retrieves email information from Outlook and Thunderbird.
In response to this emerging threat, FortiGuard Labs has recommended several defensive measures to combat attacks like SmokeLoader:
– Antivirus protection: Regularly updating antivirus signatures can help in detecting and blocking malware effectively.
– Phishing awareness training: Organizations should utilize free resources for information security awareness training to educate employees about the risks associated with phishing attacks.
– Content disarm and reconstruction (CDR): Implementing CDR services can help in neutralizing malicious macros embedded in documents, thus preventing malware execution.
Fortinet emphasized, “SmokeLoader is a versatile malware that can be adapted to suit various malicious purposes. In this particular campaign, SmokeLoader utilizes its plugins to carry out the attack, showcasing its flexibility and underscoring the importance of thorough analysis even when dealing with well-known malware strains.”
In conclusion, the ongoing malware campaign leveraging SmokeLoader underscores the evolving sophistication of cyber threats targeting businesses in diverse industries. By adopting robust defensive measures and staying vigilant against phishing tactics, organizations can enhance their cybersecurity posture and mitigate the risks posed by such advanced malware campaigns.