June 4, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
JavaScript Payloads and Phishing Emails Used by Horns&Hooves Campaign to Deliver RATs – Active IOCs
December 3, 2024
Multiple Dell Products Vulnerabilities
December 3, 2024
JavaScript Payloads and Phishing Emails Used by Horns&Hooves Campaign to Deliver RATs – Active IOCs
December 3, 2024
Multiple Dell Products Vulnerabilities
December 3, 2024
Severity
High
Analysis Summary
A new operation spreading the SmokeLoader malware has targeted Taiwanese companies in the information technology, healthcare, and manufacturing sectors. SmokeLoader is renowned for its adaptability and sophisticated evasion strategies, and it can carry out a variety of attacks thanks to its modular construction.
In this instance, SmokeLoader executes the attack by downloading plugins from its command-and-control (C2) server, even though its primary function is to distribute other malware. The main purpose of SmokeLoader, a malware downloader that was originally promoted in cybercrime forums in 2011, is to carry out secondary payloads. It also has the capacity to download additional modules that enhance its own capabilities to mine Bitcoin, steal data, and initiate distributed denial-of-service (DDoS) attacks.
To avoid discovery and impede analysis, SmokeLoader identifies analysis environments, creates fictitious network traffic, and obfuscates code. By adding new features and using obfuscation techniques to hinder research efforts, the creators of this malware family have continuously improved its capabilities.
Following Operation Endgame, a Europol-led initiative that destroyed infrastructure connected to multiple malware families, including IcedID, SystemBC, PikaBot, SmokeLoader, Bumblebee, and TrickBot, in late May 2024, SmokeLoader activity significantly decreased. More than 50,000 infections have been remotely cleansed, and up to 1,000 C2 domains connected to SmokeLoader have been decommissioned. Nevertheless, threat organizations are still using the malware to spread payloads via new C2 infrastructure.
According to the researchers, this is mostly because there are so many cracked versions of the software that are freely accessible online. The most recent attack chain begins with a phishing email that contains a Microsoft Excel attachment. When the attachment is opened, it takes advantage of security flaws that have existed for years (such as CVE-2017-0199 and CVE-2017-11882) to drop a malware loader called Ande Loader, which is then used to install SmokeLoader on the compromised host.
A stager and a main module are the two parts that make up SmokeLoader. The main module is in charge of creating persistence, interacting with the C2 infrastructure, and executing commands, whereas the stager's job is to decrypt, decompress, and inject the main module into an explorer.exe process. Numerous plugins that the malware supports can collect email addresses, cookies, login and FTP credentials, and other data from web browsers, Outlook, Thunderbird, FileZilla, and WinSCP. Rather than downloading a finished file for the last step, SmokeLoader uses its plugins to carry out its attack. This demonstrates Smoke Loader’s adaptability and highlights the need for caution even when examining well-known malware like this.
Impact
- Data Theft
- Cryptocurrency Theft
- Denial of Service
Indicators of Compromise
IP
- 198.23.188.147
- 77.232.41.29
- 91.183.104.24
- 185.228.234.237
MD5
- 5720b40b3f78260d801ca1eb6a78ccf5
- ffd7499fa5cf43aca7f722104ac3df2f
- a2d3965c3a26d3a19521b7fed33e5178
- e5a034c661335b4d4db5c6cf79cb1fc6
- 6556c7e6d392f8819fe4a9d22bcf8cb6
- 6bc806e410f53aa38766aa3f4de93cc9
- d07a017552efe638cababa00f05de3d4
- f9dfe3abc5d429a01ffecfa629952ece
- f610e8bd206f5c2a74866242dfc67e8e
- db904d31e6449052dff4807bb1aca719
- e806184cab7a6d14cd08cf7db3918d35
- 9c0de297b9ea30ffbe100ee12150f122
SHA-256
- 3e523ed80dbb592b1ff8c3345c3cd231ddd5a06e1af4c7b7d1f7f81249d0c4a3
- ad657479d9f6322daba65638523d65631ff83ba5a717261acb5a53fd48e52209
- 8dc06fdc2897d7c3438105ea0a39d2074774f80e051007fe7799b8195580ad2f
- fbe226dd0130c3c0c4db9d125cd25eca3c8e310dae8127d15c8be18041d41cd6
- 392d201120936c1f0e77bdb4b490f2825c1e6f584f18055c742b36250f89566b
- e29c269a4c3ee4bbd673bfe0d24ca7d131d9221607e26a60989e81d8ffc17095
- 00874ab2a91433dfbfdc9ee6ade6173f3280737fc81505504ace11273f640610
- 1a1c8cdac1c3cbae5f1140e850ee06b414259876dab97152669f7c0f93469b13
- 5dc92a6ed1ef2a5d9cf2a112532ad2c9fd70bff727e4cb60cd5d9c4966f2f77f
- a334ba0d8ac0676d09e41aa273589ee27338c44a09109a4d5defa45f1d9bd82b
- a4ec792538455fb56f0b89ae10ddd0b2504afba092ba5cfa2083cf61b5fac0ef
- f7544f07b4468e38e36607b5ac5b3835eac1487e7d16dd52ca882b3d021c19b6
SHA1
- 6fc30d35458e00f6b6d47dfc5f7fafcd93e56a2d
- bb8d3963016350555ddca1bdd1be1cb604bef2b1
- 078cad1c09045d2be6345a9ad71cf2bf03a7bd51
- 6f31729421eea5fd1af93bf3b473025fca4589b9
- a16ee7ad992307b1fc30dfa2a0a52a50826b1300
- 0c479871f6a41dc814713d3a51fb025fac1ac882
- 6458c9fe496491b5e6e3f95ddf40907fab812a08
- a53bf1ed20e5b798f62e33f732de76ff43cf5bc4
- f59416f6bb770aa6f36d044c37f1693988f1bbe4
- d3ecdae1dc6741a0b241bccd30d15054d048e268
- e0ff3a23666d9e894557b39221577282dcd124fd
- da6096edee23cfd59cf90c1e6a3a9146ae9d5ff0
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
- Ensure that all systems, software, and applications are up-to-date with the latest security patches. Regularly check for and apply updates to eliminate known vulnerabilities that attackers could exploit.
- Educate employees about phishing emails, social engineering tactics, and safe online behavior. Effective training can reduce the likelihood of users inadvertently initiating an attack.
- Regularly back up critical data and systems to offline or isolated storage. Test the backup restoration process to ensure that it is effective in case of an attack.
- Deploy strong endpoint protection solutions that include advanced threat detection, behavior monitoring, and real-time protection against malware and ransomware.
- Employ robust email filtering and anti-phishing solutions to detect and prevent malicious attachments and links from reaching user inboxes.
- Conduct regular penetration testing and security assessments to identify vulnerabilities and weaknesses in your network and systems. Address any findings promptly.
- Thoroughly assess third-party vendors and software before integrating them into your environment. Ensure they have strong security practices and adhere to cybersecurity standards.
