SmokeLoader Actively Spreads by Exploiting Old Vulnerabilities

What happened?

• Researchers had spotted the mass exploitation of two flaws— CVE-2017-0199 and CVE-2017-11882—that are almost five years old. Although patches are available for both flaws, they continue to be exploited.
• Threat actors were taking advantage of these vulnerabilities to distribute SmokeLoader malware.
• SmokeLoader, which is available on the market in one form or another since 2011, is primarily used to distribute other malware families such as TrickBot. 

Modus operandi

• The infection chain started with a phishing email that urges recipients to review a purchase order and check for dates related to shipping.
• These emails came from a webmail address hosted by a large telecommunications company in Taiwan and included an excel file such as ‘Purchase Order FG-20220629.xlsx.’
• These files contain exploits for the vulnerabilities in an encrypted format.  
• The attack also leverages EXE and DLL files to bypass email security systems. 

SmokeLoader remains a popular malware dropper

• While Fortinet found that the latest sample dropped by SmokeLoader was zgRAT trojan, there was also a report describing the distribution of Amadey malware.
• According to AhnLab researchers, SmokeLoader was used in a recent campaign that used software cracks and keygen sites as lures. 
• Once these software cracks were opened, they caused the download of SmokeLoader which eventually distributed a new version of Amadey malware.

Conclusion