Security
Headlines
HeadlinesLatestCVEs

Headline

SmokeLoader Malware Exploits MS Office Flaws to Steal Browser Credentials

SmokeLoader malware has resurfaced with enhanced capabilities and functionalities, targeting your personal data.

HackRead
#vulnerability#web#ios#mac#microsoft#cisco#rce#chrome#firefox

****SUMMARY****

  • Targeted Campaign: SmokeLoader malware attacks Taiwanese industries, including manufacturing, healthcare, and IT.

  • Phishing Emails: The campaign uses phishing emails exploiting MS Office vulnerabilities (CVE-2017-0199, CVE-2017-11882).

  • Credential Theft: Plugins target browsers, email clients, and FTP software to steal credentials and sensitive data.

  • Advanced Techniques: SmokeLoader employs evasion tactics like code obfuscation, anti-debugging, and sandbox evasion.

  • Preventative Measures: FortiGuard Labs blocked the malware, offering antivirus signatures and IPS rules for protection.

Cybersecurity researchers at Fortinet’s FortiGuard Labs have discovered a series of new malware attacks targeting companies in Taiwan. The attacks, which have been linked to the SmokeLoader malware, have impacted industries ranging from manufacturing and healthcare to IT and beyond.

SmokeLoader, known for its ability to deliver other malicious payloads, is taking a more direct role in this campaign, using its own plugins to execute attacks and steal sensitive data.

According to research by FortiGuard Labs, the attacks began with phishing emails containing malicious attachments, which were designed to exploit vulnerabilities in Microsoft Office. These included CVE-2017-0199, enabling malicious documents to automatically download and execute harmful payloads, and CVE-2017-11882, exploiting a vulnerability in Microsoft Office’s equation editor for remote code execution.

The emails, as per FortiGuard Labs’ blog post shared with Hackread.com heard of this publishing on Monday, written in native Taiwanese, were convincing but contained inconsistencies, such as different font and colour schemes, that suggested the text had been copied from elsewhere.

Once the malicious attachment was opened, the SmokeLoader malware was downloaded and executed, allowing it to communicate with its command and control (C2) server. From there, the malware downloaded various plugins, each designed to target specific applications and extract sensitive information.

The plugins used by SmokeLoader were found to target popular web browsers, email clients, and file transfer protocol (FTP) software, including Internet Explorer, Firefox, Chrome, Opera, Outlook, Thunderbird, and FileZilla. The malware was able to extract login credentials, auto-fill data, and even email addresses from these applications.

One of the plugins, known as Plugin 4, was designed to clear cookies from targeted browsers, forcing victims to re-enter their login credentials. Another plugin, Plugin 8, was used to inject keylogging code into explorer.exe, allowing the malware to capture keyboard inputs and clipboard content.

The SmokeLoader malware was also found to use advanced techniques to evade detection, including code obfuscation, anti-debugging, and sandbox evasion. Its modular design allows it to adapt to different attack scenarios, making it a formidable threat to organizations.

The attack flow and phishing emails used in the attack (Via: Fortinet’s FortiGuard Labs)

FortiGuard Labs has detected and blocked the malware, assigning it a severity level of “High.” The company has also provided protections for its customers, including antivirus signatures and IPS rules to detect and prevent malware.

In a comment to Hackread.com, Casey Ellis, Founder and Advisor at Bugcrowd, a San Francisco, Calif.-based leader in crowdsourced cybersecurity suggests the use of SmokeLoader aligns with a broader global pattern of cyber actors preparing for future attacks by infiltrating systems in advance.

Given the geo-political environment, Taiwan is no stranger to thinking about Advanced Persistent Threats (APTs) and the use of SmokeLoader does seem to follow suit with the general trend of pre-positioning that we have seen in other parts of the world.

****What can you do to protect yourself?****

To avoid falling victim to the SmokeLoader malware, it’s important to stay cautious with emails from unknown or suspicious sources. Don’t click on links or download attachments, especially if they prompt you to enable macros or run files.

If you’re unsure about an email, even from a familiar source, check its content carefully. Scan links, files, and attachments using tools like VirusTotal or your system’s security software to ensure they’re safe.

  1. Fickle Stealer Exploits Software Flaws, Steals Browser Data
  2. Malware Exploits Avast Anti-Rootkit Driver to Disable Security
  3. Malware Bypasses Microsoft Defender, Steals $24,000 in Crypto
  4. SteelFox Malware Posing as Popular Software, Steal Browser Data
  5. Facebook Malvertising Attack Spreads Malware via Fake Bitwarden

Related news

Hackers Use Excel Files to Deliver Remcos RAT Variant on Windows

This article explains the inner workings of the Remcos RAT, a dangerous malware that uses advanced techniques to…

Sidewinder Casts Wide Geographic Net in Latest Attack Spree

The long-active, India-sponsored cyber-threat group targeted multiple entities across Asia, Africa, the Middle East, and even Europe in a recent attack wave that demonstrated the use of a previously unknown post-exploit tool called StealerBot.

Free Sniper Dz Phishing Tools Fuel 140,000+ Cyber Attacks Targeting User Credentials

More than 140,000 phishing websites have been found linked to a phishing-as-a-service (PhaaS) platform named Sniper Dz over the past year, indicating that it's being used by a large number of cybercriminals to conduct credential theft. "For prospective phishers, Sniper Dz offers an online admin panel with a catalog of phishing pages," Palo Alto Networks Unit 42 researchers Shehroze Farooqi,

Multi-Stage ValleyRAT Targets Chinese Users with Advanced Tactics

Chinese-speaking users are the target of an ongoing campaign that distributes malware known as ValleyRAT. "ValleyRAT is a multi-stage malware that utilizes diverse techniques to monitor and control its victims and deploy arbitrary plugins to cause further damage," Fortinet FortiGuard Labs researchers Eduardo Altares and Joie Salvio said. "Another noteworthy characteristic of this malware is its

India-Linked SideWinder Group Pivots to Hacking Maritime Targets

The nation-state espionage group known for attacking Pakistan has expanded its reach to targets in Egypt and Sri Lanka.

New SideWinder Cyber Attacks Target Maritime Facilities in Multiple Countries

The nation-state threat actor known as SideWinder has been attributed to a new cyber espionage campaign targeting ports and maritime facilities in the Indian Ocean and Mediterranean Sea. The BlackBerry Research and Intelligence Team, which discovered the activity, said targets of the spear-phishing campaign include countries like Pakistan, Egypt, Sri Lanka, Bangladesh, Myanmar, Nepal, and the

Kimsuky Using TRANSLATEXT Chrome Extension to Steal Sensitive Data

The North Korea-linked threat actor known as Kimsuky has been linked to the use of a new malicious Google Chrome extension that's designed to steal sensitive information as part of an ongoing intelligence collection effort. Zscaler ThreatLabz, which observed the activity in early March 2024, has codenamed the extension TRANSLATEXT, highlighting its ability to gather email addresses, usernames,

New Phishing Campaign Uses Stealthy JPGs to Drop Agent Tesla

Spanish speakers beware! A new campaign using the Agent Tesla RAT targets Spanish-speaking individuals. Learn how to protect…

To Damage OT Systems, Hackers Tap USBs, Old Bugs & Malware

USBs have something the newest, hottest attack techniques lack: the ability to bridge air gaps.

Operation Rusty Flag: Azerbaijan Targeted in New Rust-Based Malware Campaign

Targets located in Azerbaijan have been singled out as part of a new campaign that's designed to deploy Rust-based malware on compromised systems. Cybersecurity firm Deep Instinct is tracking the operation under the name Operation Rusty Flag. It has not been associated with any known threat actor or group. "The operation has at least two different initial access vectors," security researchers

Alert: Phishing Campaigns Deliver New SideTwist Backdoor and Agent Tesla Variant

The Iranian threat actor tracked as APT34 has been linked to a new phishing attack that leads to the deployment of a variant of a backdoor called SideTwist. “APT34 has a high level of attack technology, can design different intrusion methods for different types of targets, and has supply chain attack capability,” NSFOCUS Security Labs said in a report published last week. APT34, also known by

North Korea's Kimsuky APT Keeps Growing, Despite Public Outing

Kim Jong Un's Swiss Army knife APT continues to spread its tendrils around the world, showing it's not intimidated by the researchers closing in.

Ransomware's Favorite Target: Critical Infrastructure and Its Industrial Control Systems

The health, manufacturing, and energy sectors are the most vulnerable to ransomware.

Adobe, Apple, Cisco, Microsoft Flaws Make Up Half of KEV Catalog

CISA’s Known Exploited Vulnerabilities Catalog has become a valuable repository of vulnerabilities to be patched. A pair of reports analyze the vulnerabilities under attack to understand the kind of threats organizations should be prioritizing.

New Malware Campaign Targeting Job Seekers with Cobalt Strike Beacons

A social engineering campaign leveraging job-themed lures is weaponizing a years-old remote code execution flaw in Microsoft Office to deploy Cobalt Strike beacons on compromised hosts. "The payload discovered is a leaked version of a Cobalt Strike beacon," Cisco Talos researchers Chetan Raghuprasad and Vanja Svajcer said in a new analysis published Wednesday. "The beacon configuration contains

New campaign uses government, union-themed lures to deliver Cobalt Strike beacons

By Chetan Raghuprasad and Vanja Svajcer. Cisco Talos discovered a malicious campaign in August 2022 delivering Cobalt Strike beacons that could be used in later, follow-on attacks. Lure themes in the phishing documents in this campaign are related to the job details of a government organization in the United States and a trade union in New Zealand. The attack involves a multistage and modular infection chain with fileless, malicious scripts. Cisco Talos recently discovered a malicious campaign with a modularised attack technique to deliver Cobalt Strike beacons on infected endpoints. The initial vector of this attack is a phishing email with a malicious Microsoft Word document attachment containing an exploit that attempts to exploit the vulnerability CVE-2017-0199, a remote code execution issue in Microsoft Office. If a victim opens the maldoc, it downloads a malicious Word document template hosted on an attacker-controlled Bitbucket repository. Talos discovered two attack met...

Cybercrime Group TA558 Targeting Hospitality, Hotel, and Travel Organizations

A financially motivated cybercrime group has been linked to an ongoing wave of attacks aimed at hospitality, hotel, and travel organizations in Latin America with the goal of installing malware on compromised systems. Enterprise security firm Proofpoint, which is tracking the group under the name TA558 dating all the way back to April 2018, called it a "small crime threat actor." "Since 2018,

Microsoft Office Most Exploited Software in Malware Attacks – Report

By Deeba Ahmed Research reveals that around 80% of all malware attacks used MS Office flaws. Atlas VPN has shared its… This is a post from HackRead.com Read the original post: Microsoft Office Most Exploited Software in Malware Attacks – Report

Emotet Banking Trojan Resurfaces, Skating Past Email Security

The malware is using spreadsheets, documents, and other types of Microsoft Office attachments in a new and improved version that is often able to bypass email gateway-security scanners.

Bitter APT adds Bangladesh to their targets

Cisco Talos has observed an ongoing malicious campaign since August 2021 from the Bitter APT group that appears to target users in Bangladesh, a change from the attackers' usual victims.As part of this, there's a new trojan based on Apost Talos is calling "ZxxZ," that, among other... [[ This is only the beginning! Please visit the blog for the complete entry ]]

HackRead: Latest News

15 SpyLoan Apps Found on Play Store Targeting Millions