Malicious Excel file delivered in phishing campaign.
Healthcare, manufacturing, and IT organizations across Taiwan have been subjected to SmokeLoader malware intrusions as part of a new campaign.
According to research from Fortinet FortiGuard Labs, in a report shared with The Hacker News, attacks began with phishing emails which contained a malicious Microsoft Excel file, which leverages the CVE-2017-0199 and CVE-2017-11882 vulnerabilities to deliver the Ande Loader.
Ande Loader would then facilitate the deployment of SmokeLoader, which not only contains a decrypting stager and persistence-establishing primary module but also features extensive plugin support enabling the exfiltration of various data types, including email addresses, FTP credentials, and Outlook data.
SmokeLoader is a malware downloader first advertised in cybercrime forums in 2011, and is chiefly designed to execute secondary payloads. Additionally, it possesses the capability to download more modules that augment its own functionality to steal data, launch distributed denial-of-service (DDoS) attacks, and mine cryptocurrency.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
