CyberSecurity news
FlagThis
do son@securityonline.info
//
A new SmokeLoader malware campaign is targeting Taiwanese companies across various sectors, including manufacturing, healthcare, and IT. Unlike previous campaigns where SmokeLoader acted as a downloader for other malware, this campaign directly executes the attack by downloading and executing malicious plugins from its command-and-control (C2) server. This significantly enhances its capabilities and evasiveness. The attackers employed social engineering, using personalized emails with generic content to trick recipients into opening malicious attachments. These attachments exploited vulnerabilities in Microsoft Office (CVE-2017-0199 and CVE-2017-11882) to install AndeLoader, which then deployed SmokeLoader.
The SmokeLoader malware's modular design allows it to download and execute various plugins directly from its C2 server. These plugins steal sensitive data such as login credentials, cookies, and email content from various applications including browsers, email clients, and FTP clients. The malware also utilizes keylogging and clipboard monitoring to further compromise victims. The campaign's success hinges on exploiting known vulnerabilities in Microsoft Office and leveraging social engineering tactics to bypass security measures. The use of nearly identical phishing emails sent to multiple recipients with only the recipient's name personalized highlights the attackers' efficiency and scale.
ImgSrc: securityonline.
References :
The SmokeLoader malware's modular design allows it to download and execute various plugins directly from its C2 server. These plugins steal sensitive data such as login credentials, cookies, and email content from various applications including browsers, email clients, and FTP clients. The malware also utilizes keylogging and clipboard monitoring to further compromise victims. The campaign's success hinges on exploiting known vulnerabilities in Microsoft Office and leveraging social engineering tactics to bypass security measures. The use of nearly identical phishing emails sent to multiple recipients with only the recipient's name personalized highlights the attackers' efficiency and scale.
ImgSrc: securityonline.
Share:
References :
- SOC Prime Blog: This blog post discusses the SmokeLoader malware and how it is detected. It explains the malware's ability to directly execute an attack by retrieving plugins from its C2 server.
- thehackernews.com: This article reports on the resurgence of the SmokeLoader malware and its targeting of Taiwanese companies in various sectors.
- www.fortinet.com: This report discusses the recent SmokeLoader malware campaign targeting Taiwanese companies, its advanced tactics, and the use of its modular design.
- securityonline.info: New Report Reveals SmokeLoader’s Advanced Tactics in Taiwan Campaign
- Information Security Buzz: SmokeLoader malware targets companies in Taiwan.
- Security Risk Advisors: SmokeLoader Malware Launches Targeted Cyber Espionage Campaign Against Taiwanese Corporations
Classification:
- HashTags: #SmokeLoader #Malware #APT
- Company: Multiple
- Target: Taiwanese Companies
- Attacker: SmokeLoader
- Product: Multiple
- Feature: Modular Design
- Malware: SmokeLoader
- Type: Malware
- Severity: Medium