Analysis: SmokeLoader malware distribution

April 1, 2025, 10:27 a.m.

Description

A malicious campaign targeting First Ukrainian International Bank has been observed using the Emmenhtal loader to distribute SmokeLoader malware. The infection chain begins with a deceptive email containing a 7z archive, which extracts to reveal a bait PDF and a shortcut file. The shortcut downloads additional files, leading to the execution of PowerShell and Mshta to retrieve the Emmenhtal loader. This loader, disguised as a modified Windows utility, deploys SmokeLoader while maintaining a stealthy execution flow. SmokeLoader, a modular malware, can download additional payloads, steal credentials, and execute remote commands. The campaign demonstrates the evolving tactics of financially motivated threat actors, leveraging LOLBAS techniques and commercial protection tools for obfuscation.

External References

https://feeds.feedblitz.com/~/915916022/0/gdatasecurityblog-en~Smoked-out-Emmenhtal-spreads-SmokeLoader-malware
https://www.gdatasoftware.com/blog/2025/03/38160-emmenhtal-smokeloader-malware
https://www.gdatasoftware.com/fileadmin/web/general/images/blog/2025/03/G_DATA_Blog_Emmenhtaler_SmokeLoader_Title.jpg
https://otx.alienvault.com/pulse/67eae76c43a650185f3f9970
Tags
obfuscation
powershell
cryptbot
infostealers
banking
smokeloader
lumma
emmenhtal
lolbas
2025-03-31
mshta

Date

  • Created: March 31, 2025, 7:05 p.m.
  • Published: March 31, 2025, 7:05 p.m.
  • Modified: April 1, 2025, 10:27 a.m.

Attack Patterns

  • Emmenhtal
  • CryptBot
  • SmokeLoader
  • Lumma
  • T1564.004
  • T1218.005
  • T1059.001
  • T1057
  • T1071
  • T1027

Additional Informations

  • Finance
  • Ukraine