Full Report
SmokeLoader malware identified targeting Taiwanese firms via phishing, exploiting Microsoft Office vulnerabilities
Analysis Summary
# Tool/Technique: SmokeLoader
## Overview
SmokeLoader is a modular and adaptable piece of malware utilized in a recent campaign observed targeting Taiwanese organizations across the manufacturing, healthcare, and IT sectors. Unlike typical downloader variants, this deployment of SmokeLoader executes its malicious functionality directly through its embedded plugins rather than serving as a loader for a secondary payload.
## Technical Details
- Type: Malware family
- Platform: Likely Windows (implied by exploitation of Microsoft Office vulnerabilities and targeting of Windows applications like Outlook)
- Capabilities: Modular execution via plugins, credential theft, cookie clearing, process injection, data exfiltration from browsers/email clients.
- First Seen: Information not explicitly provided in the text, but it is a known piece of malware.
## MITRE ATT&CK Mapping
* **Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment
* **Execution**
- T1204 - User Execution
- T1204.002 - Malicious File
* **Execution/Persistence (Implied by exploitation chain)**
- T1546 - Event Triggered Execution (Potential for persistence via exploited vulnerabilities or plugin functionality)
* **Credential Access**
- T1003 - OS Credential Dumping (Implied by extraction from browsers/clients)
* **Collection**
- T1005 - Data from Local System (Extracting data from browsers, emails, FTP clients)
## Functionality
### Core Capabilities
- **Initial Delivery:** Delivered via sophisticated phishing emails written in local languages, containing malicious attachments.
- **Vulnerability Exploitation:** Exploits Microsoft Office vulnerabilities: CVE-2017-0199 (Template Injection) and CVE-2017-11882 to gain initial execution.
- **Staging:** Executes AndeLoader, which prepares the final deployment of SmokeLoader.
- **Modular Operation:** Operates primarily through nine distinct plugins to perform specific malicious tasks.
### Advanced Features
- **Direct Payload Execution:** Utilizes its own plugins for the final attack stage, avoiding the traditional role of serving as a pure downloader.
- **Data Harvesting:** Specific plugins are designed to steal sensitive information:
- Extracting credentials and autofill data from Chrome, Firefox, and Edge.
- Retrieving email information from Outlook and Thunderbird.
- **Process Interaction:** Includes functionality for code injection into processes.
- **Session Cleaning:** Capable of clearing user cookies.
## Indicators of Compromise
- File Hashes: [Not provided]
- File Names: [Not provided, but attachments in phishing emails are the initial vector]
- Registry Keys: [Not provided]
- Network Indicators: [Not provided]
- Behavioral Indicators: Opening OLE/Office documents that trigger the exploitation chain leading to AndeLoader execution, followed by SmokeLoader activity involving process injection and data scraping from common application storage locations.
## Associated Threat Actors
- [Not explicitly named in the article, but the use of sophisticated phishing against Taiwanese sectors suggests a targeted APT or organized crime group.]
## Detection Methods
- **Signature-based detection:** Keeping antivirus signatures up to date.
- **Behavioral detection:** Monitoring for anomalous process execution stemming from document manipulation (e.g., Office processes spawning shellcode execution or indirect execution of loaders).
- **YARA rules:** [Not provided]
## Mitigation Strategies
- **Antivirus protection:** Ensure AV signatures are current.
- **Phishing awareness training:** Educate users on spotting sophisticated phishing attempts, focusing on inconsistencies in formatting or language.
- **Content Disarm and Reconstruction (CDR):** Implementing CDR services to strip potentially malicious macros or embedded objects from incoming documents before they are executed.
- **Patching:** Ensure systems are patched against known vulnerabilities like CVE-2017-0199 and CVE-2017-11882.
## Related Tools/Techniques
- Directly related to the initial stage: AndeLoader
- Functionality comparison points: Remcos RAT (mentioned in related articles), LokiBot (mentioned in related articles)