SmokeLoader picks up ancient MS Office bugs to pack fresh credential stealer
Essential information
- Published
- 03/12/2024 18:15
- Modified
- 03/12/2024 22:57
- Tags
- 2024-12-03 CVE-2017-0199 CVE-2017-11882 andeloader credential-theft microsoft office modular malware phishing plugins smokeloader taiwan vulnerabilities
- Related entities
- 2 vulnerabilities (cve), 28 observables, 9 techniques (mitre), 2 malware, 4 others
Description
Threat actors are exploiting old Microsoft Office vulnerabilities using SmokeLoader, a modular malware loader, to steal browser credentials. The campaign targets manufacturing, healthcare, and IT companies in Taiwan, utilizing CVE-2017-0199 and CVE-2017-11882 to execute remote code and deploy malicious payloads. SmokeLoader, typically used to deliver other malware, is now employing its own plugins for credential theft. The attack involves phishing emails with malicious attachments, exploiting the MS Office flaws to download and execute harmful plugins. FortiGuard Labs has identified nine different plugins used to steal various types of credentials and sensitive data from browsers and email software.