A highly sophisticated cyber campaign targets Taiwanese companies across multiple critical sectors, leveraging an advanced strain of SmokeLoader malware that goes far beyond traditional malware delivery methods. FortiGuard Labs has uncovered a meticulously crafted attack demonstrating the evolving complexity of modern cybersecurity threats.
Precision-Crafted Phishing Strategy
The campaign, active in September, employs carefully constructed phishing emails designed to deceive targets in the manufacturing, healthcare, and information technology industries.
These emails, written with native Chinese linguistic nuances, masquerade as seemingly legitimate price quotes—a tactic that significantly increases their potential success rate.
Multilayered Infection Mechanism
The infection process is a testament to the threat actors’ technical sophistication. Upon a recipient downloading the malicious Office document, an initial VBS file loads AndeLoader, which ultimately delivers the SmokeLoader payload.
What makes this campaign particularly insidious is its exploitation of seemingly obsolete security vulnerabilities from 2017, specifically CVE-2017-0199 and CVE-2017-11882.
Advanced Malware Capabilities
Unlike traditional malware, SmokeLoader is a modular threat with extensive capabilities. Once a system is compromised, the malware can:
- Extract login credentials from multiple browsers including Chrome, Firefox, and Edge
- Harvest autofill data and browser cookies
- Collect credentials from Microsoft Outlook and FTP clients like FileZilla and WinSCP
- Inject malicious plugins into system processes to avoid detection
Evasion and Persistence Tactics
The malware employs advanced evasion techniques that make detection challenging. By injecting plugins into suspended processes like explorer.exe and modifying their memory, the threat actors can resume execution while maintaining stealth.
Additionally, the malware establishes persistence by strategically altering registry keys, ensuring continued operation even after system reboots.
In one observed instance, researchers discovered SmokeLoader downloaded nine distinct plugins, each carefully injected into appropriate system architectures. T
The potential for data breach and corporate espionage is significant, with threat actors capable of accessing internal company information and potentially spreading the attack through compromised employee accounts.
