SmokeLoader Malware Resurfaces, Targeting Manufacturing and IT in Taiwan

Taiwanese entities in manufacturing, healthcare, and information technology sectors have become the target of a new campaign distributing the SmokeLoader malware.

"SmokeLoader is well-known for its versatility and advanced evasion techniques, and its modular design allows it to perform a wide range of attacks," Fortinet FortiGuard Labs said in a report shared with The Hacker News.

"While SmokeLoader primarily serves as a downloader to deliver other malware, in this case, it carries out the attack itself by downloading plugins from its [command-and-control] server."

SmokeLoader, a malware downloader first advertised in cybercrime forums in 2011, is chiefly designed to execute secondary payloads. Additionally, it possesses the capability to download more modules that augment its own functionality to steal data, launch distributed denial-of-service (DDoS) attacks, and mine cryptocurrency.

"SmokeLoader detects analysis environments, generates fake network traffic, and obfuscates code to evade detection and hinder analysis," an extensive analysis of the malware by Zscaler ThreatLabz noted.

"The developers of this malware family have consistently enhanced its capabilities by introducing new features and employing obfuscation techniques to impede analysis efforts."

SmokeLoader activity suffered a major decline following Operation Endgame, a Europol-led effort that took down infrastructure tied to several malware families such as IcedID, SystemBC, PikaBot, SmokeLoader, Bumblebee, and TrickBot in late May 2024.

As many as 1,000 C2 domains linked to SmokeLoader have been dismantled, and more than 50,000 infections have been remotely cleaned. That having said, the malware continues to be used by threat groups to distribute payloads through new C2 infrastructure.

This, per Zscaler, is largely due to numerous cracked versions publicly available on the internet.

The starting point of the latest attack chain discovered by FortiGuard Labs is a phishing email containing a Microsoft Excel attachment that, when launched, exploits years-old security flaws (e.g., CVE-2017-0199 and CVE-2017-11882) to drop a malware loader called Ande Loader, which is then used to deploy SmokeLoader on the compromised host.

SmokeLoader consists of two components: a stager and a main module. While the stager's purpose is to decrypt, decompress, and inject the main module into an explorer.exe process, the main module is responsible for establishing persistence, communicating with the C2 infrastructure, and processing commands.

The malware supports several plugins that can steal login and FTP credentials, email addresses, cookies, and other information from web browsers, Outlook, Thunderbird, FileZilla, and WinSCP.

"SmokeLoader performs its attack with its plugins instead of downloading a completed file for the final stage," Fortinet said. "This shows the flexibility of SmokeLoader and emphasizes that analysts need to be careful even when looking at well-known malware like this."