Several malicious threat actors have been spreading SmokeLoader by exploiting previously known vulnerabilities, including two known flaws CVE-2017-11882 and CVE-2017-0199.
Reports stated that researchers had fixed these vulnerabilities, but some threat actors still manage to find a method to abuse it for attacks, especially malware delivery.
Several researchers said SmokeLoader was available on the underground market for almost a decade and is commonly utilised to spread other malware variants such as TrickBot.
SmokeLoader operators use social engineering tactics for users who order online.
The infection process of SmokeLoader starts with a socially engineered phishing email that urges its targets to check a purchase order and review the dates related to the shipping. These emails originate from a webmail address hosted by a high-end telecom firm in Taiwan and include an excel document coded as Purchase Order FG-20220629.xlsx.
These documents have attached exploits for the old vulnerabilities in an encrypted format. The attack also abuses the DLL and EXE files to avoid getting detected by the email security systems of targeted networks.
SmokeLoader remains a popular payload for many threat actors since it can also spread other malware variants using previously known vulnerabilities. In addition, a recent sample dropped by SmokeLoader was a zgRAT trojan, and there were also reported incidents that it has distributed the Amadey malware.
According to researchers, SmokeLoader was also utilised in another threat attack that abused keygen sites and software cracks as baits for developers. Once the researchers accessed the software cracks, it downloaded the SmokeLoader, which led to the distribution of a new strain of Amadey malware.
SmokeLoader’s exploitation of previously known vulnerabilities implies that attackers can still abuse patched bugs. These details also show how malware developers rely on forgotten vulnerabilities that remain unpatched across the entire software landscape.
Lastly, the re-emergence of SmokeLoader is proof that this malware dropper will be a menace to everybody for an extended period.