Cybercrime
,
Fraud Management & Cybercrime
,
Governance & Risk Management
Theat Actor Uses Trojan as Infostealer
A threat actor is targeting Taiwanese companies using phishing emails and long-standing vulnerabilities to deliver SmokeLoader malware. The campaign is unusual because the threat actor uses plugins for the infamous malware to directly attack systems rather than using SmokeLoader as its name suggests – as a loader for other malware.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
FortiGuard Labs said Monday it observed a campaign active in September using native Chinese phrasing to fool coax targets in the manufacturing, healthcare and information technology sectors into downloading SmokeLoader. A company spokesperson told Information Security Media Group it’s uncertain how many victims the campaign has swept up.
SmokeLoader is the name for a large family of Trojans known since 2011 that can be used to load additional malware but also has plug-ins for information exfiltration. Mitre has https://attack.mitre.org/software/S0226/” target=”_blank”>called the malware “notorious for its use of deception and self-protection.” Ukrainian cyber defenders have repeatedly detected SmokeLoader use by financially-motivated hackers (see: Smokeloader Campaign Intensifying, Ukrainian CERT Warns).
“Once a machine is infected, an employee’s login credentials are leaked. The attacker can then access internal company information, spread the attack to people who have contact with the victim, and distribute malware using the employee’s account,” the spokesperson said.
The SmokeLoader is modular malware that can carry out various tasks by using plugins or modules. The campaign detected by FortiGuard began with phishing emails crafted to appear as price quotes. “While this email is persuasive, as it uses native words and phrases, these phishing emails are sent to multiple recipients with almost the same content,” FortiGuard said.
Anyone downloading malicious Office document attached to the email gets an initial infection using a VBS file that loads AndeLoader, with the final payload SmokeLoader.
Once operational, SmokeLoader downloads a suite of plugins and targets applications, web browsers, email clients and file transfer tools.
The threat actor exploits what should be obsolete security flaws that date from 2017, specifically CVE 2017-0199 and CVE 2017-11882, enabling the malware to automatically download and execute the initial malware loader.
The attack involves multiple layers of obfuscation. The VBS files used in the SmokeLoader attack are cluttered with unnecessary code to hide its malicious behavior. Threat actors also use steganographic techniques to embed data within image files.
SmokeLoader’s execution flow includes decoding the steganographic data, extracting injector components, and leveraging them to deploy plugins into system processes. One plugin module extracts login credentials, autofill data and cookies from browsers including Chrome, Firefox and Edge. It also gathers credentials stored in Microsoft Outlook and FTP clients like FileZilla and WinSCP.
Additional plugins perform similar tasks, with some tailored for 64-bit systems and others focusing on email metadata extraction and browser injection.
SmokeLoader employs advanced evasion tactics, such as injecting plugins into suspended processes like explorer.exe, modifying their memory and resuming execution to avoid detection. The plugins also establish persistence by altering registry keys, ensuring their activity continues even after system reboots.
In one instance, researchers observed SmokeLoader downloaded nine distinct plugins, injecting each into the appropriate architecture while clearing browser cookies to prompt victims to re-enter credentials.