A new campaign distributing SmokeLoader malware has targeted Taiwanese organizations, particularly in the manufacturing, healthcare, and IT sectors.
Fortinet’s FortiGuard Labs, in a report shared with The Hacker News, highlighted SmokeLoader’s reputation for its adaptability and advanced evasion techniques. "SmokeLoader is known for its modular design, allowing it to execute a wide variety of attacks," the report stated. Unlike its usual role as a downloader for other malware, in this instance, SmokeLoader directly carries out the attack by fetching plugins from its command-and-control (C2) server.
First introduced in 2011 on cybercrime forums, SmokeLoader is primarily used to execute secondary payloads. However, it can also download additional modules to extend its capabilities, such as stealing data, launching distributed denial-of-service (DDoS) attacks, and mining cryptocurrency.
Advanced Evasion Techniques
According to Zscaler ThreatLabz, SmokeLoader employs sophisticated techniques to evade detection. "The malware detects analysis environments, generates fake network traffic, and obfuscates its code to avoid being flagged and analyzed," their extensive report stated. These techniques have been consistently updated by its developers to improve its resilience against cybersecurity investigations.
Decline and Resurgence
SmokeLoader’s activity saw a sharp decline after Operation Endgame, a Europol-led initiative that dismantled infrastructure associated with several malware families, including SmokeLoader. This operation, which took place in May 2024, led to the takedown of over 1,000 C2 domains and the remote cleaning of more than 50,000 infections. Despite this, the malware has continued to circulate, with threat actors leveraging new C2 infrastructure to distribute payloads.
Zscaler attributes SmokeLoader's persistence to the widespread availability of cracked versions on the internet, which makes it easier for attackers to deploy the malware.
Attack Chain and Exploited Vulnerabilities
FortiGuard Labs traced the latest attack chain to a phishing email containing a Microsoft Excel attachment. Upon opening, the file exploits older vulnerabilities, such as CVE-2017-0199 and CVE-2017-11882, to deploy a malware loader called Ande Loader. This loader then activates SmokeLoader on the compromised system.
SmokeLoader operates through two main components: a stager and a main module. The stager decrypts, decompresses, and injects the main module into the explorer.exe process. Once active, the main module establishes persistence, communicates with the C2 infrastructure, and processes commands. It supports various plugins capable of stealing credentials, email addresses, cookies, and other data from web browsers, email clients, and FTP software like FileZilla and WinSCP.
Conclusion
Fortinet emphasized SmokeLoader's flexibility, noting that it conducts attacks using plugins rather than downloading a complete file for the final stage. "This flexibility highlights the importance of careful analysis, even when dealing with well-known malware like SmokeLoader," they concluded.