SmokeLoader malware was used to target Taiwanese companies in September 2024, leveraging its modular design to download and execute malicious plugins directly from its C2 server, bypassing traditional downloader stages and expanding its attack capabilities.
The phishing campaign leverages social engineering tactics, sending identical emails to multiple targets with personalized names but generic content.
Emails are sent to recipients with the intention of tricking them into downloading a malicious VBS file, which then launches AndeLoader to deploy SmokeLoader.
Microsoft Office vulnerability CVE-2017-0199 exploits OLE2-embedded links to silently download and execute malicious documents when victims open crafted files. The attack conceals the malicious link within a hidden sheet of a protected document.
The RCE vulnerability CVE-2017-11882 exploits Microsoft Office’s equation editor, which decrypts embedded shellcode, fetches malicious VBS scripts using URLDownloadToFile, and executes them remotely, potentially compromising the system.
AndeLoader leverages VBScript to download a steganographic image containing a base64-encoded injector, which retrieves the SmokeLoader payload and injects it into the RegAsm.exe process for execution.
This particular instance disables the persistence mechanism that is responsible for combining downloaded VBScripts.
SmokeLoader downloads and injects various plugins into target processes like explorer.exe, browsers, email clients, and FTP clients to steal sensitive data such as login credentials, cookies, autofill data, and email content.
By focusing on particular system files and registry keys, the plugin is able to retrieve login credentials from a variety of browsers.
It leverages vaultcli.dll for Internet Explorer, profiles.ini for Firefox and Thunderbird, and Local State files for Chrome, Opera, Chromium, Edge, Amigo, and QQBrowser.
The malware injects itself into various email clients and web browsers, steals sensitive information like login credentials and email contacts, and manipulates browser settings to compromise user privacy and security.
The plugins inject code into various processes to hook API functions, which allow the plugins to intercept and collect sensitive data such as network traffic, keystrokes, and clipboard content.
The targeted processes include popular browsers, email clients, FTP clients, and system processes, where the plugins use advanced techniques like thread suspension, code modification, and memory parsing to achieve their objectives.
According to Fortinet, SmokeLoader, a modular malware, leverages plugins to execute attacks, demonstrating its adaptability, which highlights the need for vigilance even when dealing with familiar malware.