Attackers are targeting financial departments with SmokeLoader malware

Financially motivated hackers have been leveraging SmokeLoader malware in a series of phishing campaigns predominantly targeting Ukrainian government and administration organizations.

SmokeLoader phishing

The phishing campaign

The Ukrainian SSSCIP State Cyber Protection Center (SCPC), together with the Palo Alto Networks Unit 42 research team, have been tracking a massive phishing campaign linked to the distribution of the SmokeLoader malware.

They researchers specifically analyzed 23 phishing campaigns spanning between May and November 2023. During these short but massive and recurrent campaigns, the attackers used spearphishing emails to target financial departments of organizations in the government and administration, defense, telecommunications, retail and finance sectors.

They leveraged previously compromised email addresses, taking advantage of the trust associated with corporate accounts. Email subjects were all related to payment and billing, and the emails included legitimate financial documents stolen from previous breaches.

Despite the attackers’ efforts to make the emails look authentic, the text in the email subject and body often contained spelling errors and mixed Ukrainian and Russian words.

To trick users into opening a seemingly harmless document, the attackers leveraged double file extensions.

They also exploited legitimate Windows utilities to deceive users, maintain persistence, collect information, and move laterally within the network.

By using polyglot files, they were able to bypass traditional email protections that might not be able to interpret such files.

Finally, attackers were seen leveraging old SmokeLoader versions, mostly from 2022.

“Taking into account the periodicity of the analysed attacks with the usage of SmokeLoader over the past 7 months, it can be concluded that at this point it is unlikely that similar phishing campaigns will be organised with a frequency less than at least twice a month (based on the value of the calculated average number (median) of organised campaigns per month),” the researchers noted.

The SmokeLoader malware

SmokeLoader has been around since 2011 and has since then been advertised on several cybercrime forums.

It’s a malware that functions as a backdoor and is commonly used to download and install other malware on victims’ devices.

Once it gains access to the targeted system, it can extract important system information, i.e. system details or location data.

It has been updated and modified over the years to follow technological advances and evolve its detection evasion techniques, such as “sandbox detection, obfuscated code using opaque predicates, encrypted function blocks, anti-debugging, anti-hooking, anti-vm, and custom imports.”

ESET researchers have also noticed a spike of SmokeLoader detections in Ukraine in the second half of 2023, and have noted attackers’ use of AceCryptor (a cryptor-as-a-service) to evade detection of the malware.

“The craftiness of SmokeLoader lies in its selective communication [with command and control (C2) domains]. Many of these domains remain intentionally inaccessible, acting as digital decoys to divert attention and complicate detection efforts,” a report from the National Security and Defense Council of Ukraine noted.


Subscribe to the Help Net Security breaking news e-mail alerts:


Don't miss