EHA
Home Cyber Security News SmokeLoader Spreads Infostealers Through Malicious 7z Files

SmokeLoader Spreads Infostealers Through Malicious 7z Files

0

A recent cyber campaign has been observed leveraging SmokeLoader, a modular malware, to distribute infostealers like CryptBot and Lumma through malicious 7z archive files.

The attack chain, which employs the Emmenhtal Loader, showcases advanced evasion techniques and fileless execution to bypass security measures.

Infection Chain Overview

The campaign begins with phishing emails containing deceptive 7z archive files named “Платiжна_iнструкция.7z” (translated as “Payment Instruction”).

These archives include a bait PDF and a URL shortcut. Upon extraction, the shortcut downloads a malicious LNK file from a remote server.

This LNK file triggers PowerShell to execute a script that downloads additional payloads, ultimately deploying SmokeLoader.

Infection Chain Flow of SmokeLoader using Emmenhtal Loader

The infection chain relies on multiple stages:

  1. Delivery via 7z Archive: The attackers use 7z files to evade detection, a tactic previously linked to zero-day vulnerabilities in 7-Zip. Although no zero-day exploit is used in this campaign, the reliance on archive-based delivery highlights the attackers’ adaptability.
  2. Downloader Execution: The URL shortcut within the archive retrieves an LNK file disguised as a legitimate document. This file initiates the next stage of the attack.
  3. PowerShell and Mshta Execution: The LNK file uses PowerShell to execute Mshta (Microsoft HTML Application), which downloads and runs an HTA script embedded in a modified Windows utility (DCCW.exe). This Living Off the Land Binaries and Scripts (LOLBAS) technique minimizes detection by using legitimate system tools.
Malicious HTA Header

The Emmenhtal Loader acts as a critical intermediary in deploying SmokeLoader while maintaining stealth.

It embeds malicious JavaScript within legitimate executables, such as DCCW.exe, ensuring minimal visibility during execution.

The loader uses obfuscated scripts to decode and execute additional payloads dynamically.

This approach enables attackers to bypass traditional antivirus defenses and deliver secondary malware seamlessly.

SmokeLoader Capabilities

SmokeLoader, a well-known malware loader, exhibits modular functionality that allows it to:

  • Download and execute additional malware components
  • Steal credentials from browsers and memory
  • Inject itself into legitimate processes for evasion
  • Communicate with command-and-control (C2) servers for remote commands

The malware also employs anti-analysis techniques, such as obfuscation and sandbox detection, to thwart security researchers.

According to the Report, this campaign highlights the increasing sophistication of malware distribution methods.

By combining Emmenhtal Loader’s stealthy execution with SmokeLoader’s modular capabilities, threat actors can deploy infostealers effectively while evading detection.

The use of LOLBAS techniques further complicates mitigation efforts by exploiting legitimate system utilities.

Organizations are advised to bolster their defenses with endpoint detection and response (EDR/XDR) solutions, network monitoring tools, and zero-trust security frameworks.

Additionally, awareness training for employees can mitigate risks associated with phishing emails.

As malware-as-a-service (MaaS) platforms continue to evolve, campaigns like this underscore the need for proactive cybersecurity measures to counter emerging threats.

Find this Story Interesting! Follow us on LinkedIn, and X to Get More Instant Updates

NO COMMENTS

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Exit mobile version