SmokeLoader A Modular Malware Loader Returns in Targeted Campaigns

Threat Group: SMOKY SPIDER
Threat Type: Modular Malware Loader
Exploited Vulnerabilities: CVE-2017-0199, CVE-2017-11882
Malware Used: SmokeLoader (also known as Dofoil, Sharik)
Threat Score: High (8.5/10) — Due to its advanced evasion techniques, modular capabilities, and recent resurgence targeting critical sectors.
Last Threat Observation: December 3, 2024

Overview

SmokeLoader, a long-standing malware loader active since 2011, has resurfaced in targeted attacks against critical sectors, including manufacturing, healthcare, and IT. Leveraging phishing campaigns with malicious Microsoft Excel attachments, the malware exploits outdated Microsoft Office vulnerabilities (CVE-2017-0199 and CVE-2017-11882) to gain initial access. Once installed, SmokeLoader acts as a gateway, downloading and executing additional payloads such as ransomware, information stealers, and cryptocurrency miners.

Known for its modular design, SmokeLoader tailors its payloads to specific objectives, enabling attackers to perform tasks like data theft, system reconnaissance, and persistent access. Advanced evasion techniques, including code obfuscation, sandbox evasion, and process injection, make it challenging to detect and analyze. The recent resurgence highlights the dangers of unpatched software and the importance of robust email security and user training to counter evolving threats.

Key Details

• Delivery Method:
  SmokeLoader is primarily distributed via spear-phishing emails containing malicious Microsoft Excel attachments. These attachments exploit vulnerabilities in Microsoft Office (CVE-2017-0199 and CVE-2017-11882) to execute the malware loader. Attackers craft emails to appear as legitimate business correspondence, often targeting employees within key sectors.
• Targets:
  Recent campaigns have specifically targeted critical infrastructure sectors, including manufacturing, healthcare, and IT, with a focus on organizations in Taiwan. The goal appears to be both financial gain and potential disruption of operational capabilities.
• Primary Functions:
  1. Downloader for Secondary Malware: SmokeLoader installs additional malicious payloads such as ransomware (e.g., LockBit), cryptocurrency miners, and banking trojans.
  2. Data Theft: It collects and exfiltrates sensitive information, including credentials, browser histories, and system configuration data.
  3. System Reconnaissance: Performs scans to identify network architecture, user privileges, and connected devices, enabling attackers to escalate access.
  4. Persistence Mechanisms: Implements techniques such as registry modifications and process injections to maintain control over infected systems.
  5. Evasion Techniques: Utilizes advanced anti-debugging, anti-sandbox, and anti-virtual machine measures to avoid detection and impede malware analysis.
• Modular Capabilities:
  SmokeLoader’s architecture allows attackers to deploy and execute different modules depending on the attack objectives. Examples of modules include keyloggers, cryptocurrency miners, and botnet builders.
• Obfuscation Techniques:
  The malware uses dynamic code unpacking, payload encryption, and legitimate process injection (e.g., explorer.exe) to evade detection. It encrypts its communication with command-and-control (C2) servers, making traffic analysis difficult.
• Exploitation of Legacy Vulnerabilities:
  SmokeLoader targets unpatched software, particularly exploiting Microsoft Office vulnerabilities CVE-2017-0199 and CVE-2017-11882. This highlights the critical need for timely patch management in preventing such attacks.
• Recent Observations:
  In December 2024, researchers identified campaigns distributing SmokeLoader to organizations in Taiwan, highlighting a resurgence of this threat in targeted attacks. The observed payloads included ransomware and spyware modules tailored to operational environments.

Attack Vectors

SmokeLoader primarily propagates through targeted spear-phishing campaigns, which are meticulously crafted to deceive recipients into opening malicious Microsoft Excel attachments. These phishing emails often impersonate trusted entities, such as business partners or internal departments, and use urgent language to compel the recipient to act. Once the attachment is opened, it exploits vulnerabilities in Microsoft Office software (e.g., CVE-2017-0199 and CVE-2017-11882) to execute malicious code.

After initial infection, SmokeLoader employs process injection techniques to execute within legitimate processes like explorer.exe. This allows it to operate covertly, bypassing traditional security measures. Once embedded in the system, the malware connects to a command-and-control (C2) server to download additional modules. These modules vary based on the attacker's objectives but commonly include ransomware, information stealers, and network reconnaissance tools.

SmokeLoader also exploits weak network defenses by leveraging unpatched systems to propagate laterally across networks. Its ability to perform reconnaissance and escalate privileges allows attackers to target high-value assets within compromised environments. Additionally, encrypted communications between SmokeLoader and its C2 infrastructure further obscure its operations, making detection through network monitoring challenging.

Known Indicators of Compromise (IoCs)

FileHash-MD5

• 1131d758c8208af277e943f04339e646
• 9c0de297b9ea30ffbe100ee12150f122

FileHash-SHA1

• 030adac1abc31aa8bc3a22dda63c4a005aee6e88
• da6096edee23cfd59cf90c1e6a3a9146ae9d5ff0

FileHash-SHA256

• 00874ab2a91433dfbfdc9ee6ade6173f3280737fc81505504ace11273f640610
• 1a1c8cdac1c3cbae5f1140e850ee06b414259876dab97152669f7c0f93469b13
• 35e55053bed6b3c1027a3e7c140e67303e01e8fcbf42abac27b8e9df2a090ee3
• 392d201120936c1f0e77bdb4b490f2825c1e6f584f18055c742b36250f89566b
• 3e523ed80dbb592b1ff8c3345c3cd231ddd5a06e1af4c7b7d1f7f81249d0c4a3
• 5dc92a6ed1ef2a5d9cf2a112532ad2c9fd70bff727e4cb60cd5d9c4966f2f77f
• 7ab20d40431b990a9a44e96dc53519f0af72eaf56c4b20f8995f95a48039bf67
• 7f9909677c290b98541be176251eca34b9f3d36555669a2639130adb97ca6958
• 858d26e697bc60b642e5d92922b625f58532fc06f028962d8add5fa497981f33
• 8dc06fdc2897d7c3438105ea0a39d2074774f80e051007fe7799b8195580ad2f
• 9dea895b5b1c03caa2b838b8def4e082392851325794c3bd2eb5ca7372d8e09c
• a334ba0d8ac0676d09e41aa273589ee27338c44a09109a4d5defa45f1d9bd82b
• a4ec792538455fb56f0b89ae10ddd0b2504afba092ba5cfa2083cf61b5fac0ef
• ad657479d9f6322daba65638523d65631ff83ba5a717261acb5a53fd48e52209
• bdb897e6a8bfc21302ae1ac254b1b2e779684fe75b2b824cb24c80c775898940
• cb92d320fc9bc674e8d37ceeebf0363f8e96dd67ef4ef543b3348f96ef567e5f
• cfe7f6c1c0560bd56cd2df856d459b7fe7fd63b2f635c35151f61d4d04ce4162
• e29c269a4c3ee4bbd673bfe0d24ca7d131d9221607e26a60989e81d8ffc17095
• e3e7a3d0ba55b8dbbe3633b1dad0a3bbf4eada72dd8df3f7b1bc76a692862f23
• ea3b07a2356a7bfb92144f621ba551677a138c31d684072d69a4d37c1a378bb3
• eb8381b156aad734ef3a0328b4985ed1edeca1c8d79d66e094598f8c6992ac71
• f4b16c3f8bff445fdcd9d7edb5883d20d7663c3744e137439fa961736d0a9471
• f7544f07b4468e38e36607b5ac5b3835eac1487e7d16dd52ca882b3d021c19b6
• fb6ef14ac4cebf87f937f15553575f0f62ac62df917b490f602025a0985addd1
• fbe226dd0130c3c0c4db9d125cd25eca3c8e310dae8127d15c8be18041d41cd6

IPv4

• 185.228.234[.]237
• 77.232.41[.]29
• 91.183.104[.]24

Mitigation and Prevention

User Awareness:

• Conduct regular training to help employees recognize and report phishing attempts.
• Emphasize the risks associated with opening unsolicited attachments.

Email Filtering:

• Deploy advanced email filtering systems to block malicious attachments and URLs.

Antivirus Protection:

• Use updated antivirus tools capable of detecting SmokeLoader and its payloads.

Patch Management:

• Ensure timely patching of software vulnerabilities, especially CVE-2017-0199 and CVE-2017-11882.

Network Monitoring:

• Monitor for unusual outbound traffic patterns indicative of C2 communication.
• Inspect logs for unauthorized access or suspicious activity.

Endpoint Protection:

• Implement endpoint detection and response (EDR) solutions to detect abnormal behaviors on endpoints.

Two-Factor Authentication (2FA):

• Enforce 2FA to secure accounts against unauthorized access.

Regular Backups:

• Maintain and regularly update backups to ensure data recovery in the event of ransomware deployment.

Conclusion

SmokeLoader’s resurgence highlights the enduring danger of legacy malware combined with modern evasion tactics. By exploiting unpatched vulnerabilities and human error, it remains a powerful tool for delivering ransomware, spyware, and other malicious payloads. This threat underscores the need for organizations to prioritize patch management, enhance email security, and foster cybersecurity awareness. Vigilance and proactive defenses are critical to staying ahead of evolving threats like SmokeLoader.

Sources

• The Hacker News, "SmokeLoader Malware Resurfaces, Targeting Manufacturing and IT in Taiwan,"
• CYFIRMA, "Technical Analysis of SmokeLoader Malware,"
• ThreatFox, "SmokeLoader,"
• SentinelOne, "Going Deep | A Guide to Reversing Smoke Loader Malware,"