Unpatched vulnerabilities have always been a sweet point for cybercriminals to launch attacks. One such incident that describes the pitiable state of vulnerable systems has come to notice lately.

What happened?

  • Researchers had spotted the mass exploitation of two flaws— CVE-2017-0199 and CVE-2017-11882—that are almost five years old. Although patches are available for both flaws, they continue to be exploited.
  • Threat actors were taking advantage of these vulnerabilities to distribute SmokeLoader malware.
  • SmokeLoader, which is available on the market in one form or another since 2011, is primarily used to distribute other malware families such as TrickBot. 

Modus operandi

  • The infection chain started with a phishing email that urges recipients to review a purchase order and check for dates related to shipping.
  • These emails came from a webmail address hosted by a large telecommunications company in Taiwan and included an excel file such as ‘Purchase Order FG-20220629.xlsx.’
  • These files contain exploits for the vulnerabilities in an encrypted format.  
  • The attack also leverages EXE and DLL files to bypass email security systems. 

SmokeLoader remains a popular malware dropper

  • While Fortinet found that the latest sample dropped by SmokeLoader was zgRAT trojan, there was also a report describing the distribution of Amadey malware.
  • According to AhnLab researchers, SmokeLoader was used in a recent campaign that used software cracks and keygen sites as lures. 
  • Once these software cracks were opened, they caused the download of SmokeLoader which eventually distributed a new version of Amadey malware.


While CVE-2017-0199 and CVE-2017-11882 were discovered in 2017, they are still being actively exploited in various other campaigns. This demonstrates that malware authors are relying on aging vulnerabilities that remain to be patched effectively across a wide gamut of software. Meanwhile, the re-appearance of SmokeLoader, indicates that the malware dropper is here to stay for a long period.
Cyware Publisher