Skip to main content
Customer Support Customer Support

SmokeLoader Attack Targets Companies in Taiwan

Jasper_The_Rasper
Moderator
Forum|alt.badge.img+54

By Pei Han Liao | December 02, 2024

 

Affected Platforms: Microsoft Windows
Impacted Users: Microsoft Windows
Impact: The stolen information can be used for future attack
Severity Level: High

 

In September 2024, FortiGuard Labs observed an attack using the notorious SmokeLoader malware to target companies in Taiwan, including those in manufacturing, healthcare, information technology, and other sectors. SmokeLoader is well-known for its versatility and advanced evasion techniques, and its modular design allows it to perform a wide range of attacks. While SmokeLoader primarily serves as a downloader to deliver other malware, in this case, it carries out the attack itself by downloading plugins from its C2 server.

Figure 1: Attack flow

Figure 1: Attack flow

 

Phishing

Figure 2 shows a phishing email used in this campaign. The sender claims the attached malicious file is a quotation and includes a list of special instructions. While this email is persuasive, as it uses native words and phrases, these phishing emails are sent to multiple recipients with almost the same content. Even the recipient's name (the redaction in the file name) is not changed when sent to other companies. This has been observed in other attack chains of this campaign. In addition, the font and color of the email sign-off and telephone number are different from the main body, which suggests that the text may have been copied from elsewhere.

Figure 2: Phishing emails sent to different companies. The recipient’s name is identical.

Figure 2: Phishing emails sent to different companies. The recipient’s name is identical.

Regardless of which it uses, the third stage uses a VBS file to launch the malware loader, AndeLoader, and the final payload is an identical file of SmokeLoader.

CVE 2017-0199

CVE-2017-0199 is a vulnerability in Microsoft Office that exploits an OLE2-embedded link object. When a victim opens the crafted file, a malicious document is automatically downloaded and executed. The file attached to the phishing email is protected, and the object containing the malicious link is hidden in a sheet.

Figure 3: The download link can be found in the binary data though it’s protected

Figure 3: The download link can be found in the binary data though it’s protected

 

>>Full Article<<

    0 replies

    Be the first to reply!

    Reply


    Terms & Conditions