Threat actors are using a well-known modular malware loader, SmokeLoader, to exploit known Microsoft Office vulnerabilities and steal sensitive browser credentials.The loader which runs a framework to deploy multiple malware modules, was observed by Fortinet’s FortiGuard Labs in attacks targeting manufacturing, healthcare, and IT companies in Taiwan.”SmokeLoader, known for its ability to deliver other malicious payloads, is taking a more direct role in this campaign, using its own plugins to execute attacks and steal sensitive data,” said researchers at FortiGuard.Since the discovery in September, FortiGuard Labs has blocked the malware, offering antivirus signatures and intrusion prevention system (IPS) rules for protection, the researchers added. According to the researchers, the campaign used two Microsoft Office flaws, discovered and patched in 2017, that allow remote code execution on targeted systems.CVE 2017-0199 affects Microsoft Office and Windows, allowing remote code execution through maliciously crafted RTF files, often delivered via phishing emails. Once opened, the files can download and run an HTA payload to compromise the system. With a CVSS score of 7.8, it poses a significant risk, requiring minimal user interaction for exploitation. “‹Another vulnerability, CVE-2017-11882, in Microsoft Office’s Equation Editor allows remote code execution. Attackers exploit it by using malicious Office files to bypass memory protections and execute arbitrary code. Being a legacy feature, the Equation Editor is highly vulnerable and frequently targeted in attacks on unpatched systems”‹.In this particular campaign, CVE-2017-0199 was seen enabling the download and execution of malicious payloads through crafted Office files, and CVE-2017-11882 was used to establish remote access through the buggy editor for downloading harmful plugins.
Exploits were phished to the targeted systems
In a clumsy phishing attempt, several emails with haphazardly put together yet persuasive content were sent to targeted users with malicious attachments carrying the exploit for the vulnerabilities in MS Office, the researchers noted.”While this email is persuasive, as it uses native words and phrases, these phishing emails are sent to multiple recipients with almost the same content,” they said. “Even the recipient’s name (the redaction in the file name) is not changed when sent to other companies.”Furthermore, the variation in font and color between the email sign-off, telephone number, and the main body indicates that this text might have been sourced from a different location.The email attaches a virtual basic script (VBS) file that launches AndeLoader, another modular loader, that executes the final payload as a SmokeLoader file.
SmokeLoader used for credential theft
SmokeLoader, typically used for its modular design to deploy external malware, was used differently in this campaign.”While SmokeLoader primarily serves as a downloader to deliver other malware, in this case, it carries out the attack itself by downloading plugins from its C2 server,” the researchers said.FortiGuard was able to identify nine different plugins with varied functionalities used in the campaign. Together, they allowed stealing Firefox and Thunderbird login credentials, FTP credentials, cookies, browser autofill data, and email software data.According to the researchers, using its plugins instead of downloading a completed file for the final stage shows SmokeLoader’s flexibility, and security analysts should watch out for iterations of a well-known malware like this.FortiGuard researchers shared a number of indicators of compromise (IOCs) for reference which consisted of the IP, phishing email, and C2 domains.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3616195/smokeloader-picks-up-ancient-ms-office-bugs-to-pack-fresh-credential-stealer.html