December 2, 2024 at 11:09PM
Taiwanese manufacturing, healthcare, and IT sectors are targeted by a campaign using SmokeLoader malware, which has advanced evasion techniques and modular capabilities. It primarily serves as a downloader but can execute attacks independently. The campaign starts with a phishing email exploiting old vulnerabilities to deploy SmokeLoader via Ande Loader.
**Meeting Takeaways – Dec 02, 2024: Malware / Cryptocurrency Discussion**
1. **Targeted Sectors**: Taiwanese entities in the manufacturing, healthcare, and IT sectors are currently being targeted by a new campaign utilizing SmokeLoader malware.
2. **Nature of SmokeLoader**:
– SmokeLoader is recognized for its versatility, advanced evasion techniques, and modular design, allowing various forms of attacks.
– Although it primarily functions as a malware downloader, it can also execute attacks directly by downloading plugins from its command-and-control (C2) server.
3. **Historical Context and Functionality**:
– SmokeLoader was first introduced in 2011 on cybercrime forums, designed to execute secondary payloads and augment its functionality (e.g., data theft, DDoS attacks, cryptocurrency mining).
– It employs various obfuscation techniques and generates fake network traffic to evade detection by security measures.
4. **Impact of Recent Law Enforcement Actions**:
– Following Operation Endgame in May 2024, significant progress was made against SmokeLoader, with 1,000 linked C2 domains dismantled and over 50,000 infections cleaned.
– Despite this, the malware is still active due to cracked versions available online.
5. **Latest Attack Methodology**:
– The initial attack vector involves phishing emails with malicious Microsoft Excel attachments, exploiting older security vulnerabilities (CVE-2017-0199 and CVE-2017-11882).
– These attacks deploy Ande Loader, which subsequently loads SmokeLoader.
6. **SmokeLoader Components**:
– The malware consists of a stager and a main module:
– **Stager**: Decrypts and injects the main module into system processes.
– **Main Module**: Establishes persistence and communicates with C2 infrastructure; processes commands and manages plugins.
7. **Plugin Capabilities**:
– SmokeLoader supports various plugins capable of stealing sensitive data such as login credentials, email addresses, cookies, and other crucial information from multiple applications (web browsers, email clients, etc.).
8. **Advisory Note for Analysts**:
– Analysts should remain vigilant when dealing with SmokeLoader, as it can execute attacks through its plugins in a flexible manner, rather than relying on a completed malware file.
This summary encapsulates the key points discussed and provides a structured overview of the risks and mechanisms associated with the SmokeLoader malware campaign highlighted in the meeting.