SmokeLoader Malware Campaign Targets Companies in Taiwan

Written by

A sophisticated malware campaign leveraging SmokeLoader has been observed targeting Taiwanese companies across manufacturing, healthcare and IT sectors.

SmokeLoader, a modular malware known for its adaptability and evasion techniques, is being used in this attack to directly execute its payloads rather than serving as a downloader for other malicious software.

Key Attack Stages

Identified by FortiGuard Labs, the campaign begins with phishing emails designed to trick recipients into opening malicious attachments. These emails, written in local languages and featuring copied text for authenticity, often include subtle formatting inconsistencies that could signal their fraudulent nature.

Once opened, the attachments exploit vulnerabilities in Microsoft Office, specifically CVE-2017-0199 and CVE-2017-11882, allowing attackers to deliver the initial malware stages. Through these vulnerabilities, the malware executes the AndeLoader, which prepares the final deployment of SmokeLoader itself.

SmokeLoader’s modularity is central to this attack. It deploys nine distinct plugins, each with specialized tasks like stealing credentials, clearing cookies and injecting code into processes.

Notably, these plugins target popular browsers, email clients and FTP software to gather sensitive data. For instance, one plugin extracts credentials and autofill data from Chrome, Firefox and Edge, while another retrieves email information from Outlook and Thunderbird.

Read more on phishing attacks targeting browsers: Browser Phishing Threats Grew 198% Last Year

Defensive Measures

FortiGuard Labs highlighted multiple defensive measures to tackle threats such as SmokeLoader:

  • Antivirus protection: Keeping antivirus signatures up to date helps detect and block malware effectively

  • Phishing awareness training: Organizations are encouraged to take advantage of free resources for information security awareness training

  • Content disarm and reconstruction (CDR): Implementing CDR services can neutralize malicious macros embedded in documents

“SmokeLoader is a modular malware that is adaptable to different needs,” Fortinet explained. “In this case, SmokeLoader performs its attack with its plugins instead of downloading a completed file for the final stage. This shows the flexibility of SmokeLoader and emphasizes that analysts need to be careful even when looking at well-known malware like this.”

What’s hot on Infosecurity Magazine?