Healthcare, manufacturing, and IT organizations across Taiwan have been subjected to SmokeLoader malware intrusions as part of a new campaign, which comes more than six months after the malware had up to a thousand command-and-control domains disrupted by the Europol-led Operation Endgame that also dismantled the TrickBot, IcedID, Bumblebee, PikaBot, and SystemBC loaders, reports The Hacker News.
Threat actors commenced attacks by distributing phishing emails with a malicious Microsoft Excel file, which leverages the CVE-2017-0199 and CVE-2017-11882 vulnerabilities to deliver the Ande Loader, according to an analysis from Fortinet FortiGuard Labs. Ande Loader would then facilitate the deployment of SmokeLoader, which not only contains a decrypting stager and persistence-establishing primary module but also features extensive plugin support enabling the exfiltration of various data types, including email addresses, FTP credentials, and Outlook data. SmokeLoader's utilization of plugins for its attack indicates the malware loader's "flexibility," which should prompt increased vigilance among security teams, researchers said.
