SmokeLoader picks up ancient MS Office bugs to pack fresh credential stealer

Dec. 3, 2024, 10:57 p.m.

Description

Threat actors are exploiting old Microsoft Office vulnerabilities using SmokeLoader, a modular malware loader, to steal browser credentials. The campaign targets manufacturing, healthcare, and IT companies in Taiwan, utilizing CVE-2017-0199 and CVE-2017-11882 to execute remote code and deploy malicious payloads. SmokeLoader, typically used to deliver other malware, is now employing its own plugins for credential theft. The attack involves phishing emails with malicious attachments, exploiting the MS Office flaws to download and execute harmful plugins. FortiGuard Labs has identified nine different plugins used to steal various types of credentials and sensitive data from browsers and email software.

External References

https://www.csoonline.com/article/3616195/smokeloader-picks-up-ancient-ms-office-bugs-to-pack-fresh-credential-stealer.html
https://otx.alienvault.com/pulse/674f4adfff93af6a601d61d2
Tags
phishing
plugins
credential theft
smokeloader
CVE-2017-0199
CVE-2017-11882
taiwan
modular malware
2024-12-03
microsoft office
vulnerabilities
andeloader

Date

  • Created: Dec. 3, 2024, 6:15 p.m.
  • Published: Dec. 3, 2024, 6:15 p.m.
  • Modified: Dec. 3, 2024, 10:57 p.m.

Indicators

  • fbe226dd0130c3c0c4db9d125cd25eca3c8e310dae8127d15c8be18041d41cd6
  • f7544f07b4468e38e36607b5ac5b3835eac1487e7d16dd52ca882b3d021c19b6
  • fb6ef14ac4cebf87f937f15553575f0f62ac62df917b490f602025a0985addd1
  • f4b16c3f8bff445fdcd9d7edb5883d20d7663c3744e137439fa961736d0a9471
  • eb8381b156aad734ef3a0328b4985ed1edeca1c8d79d66e094598f8c6992ac71
  • ea3b07a2356a7bfb92144f621ba551677a138c31d684072d69a4d37c1a378bb3
  • e3e7a3d0ba55b8dbbe3633b1dad0a3bbf4eada72dd8df3f7b1bc76a692862f23
  • e29c269a4c3ee4bbd673bfe0d24ca7d131d9221607e26a60989e81d8ffc17095
  • cfe7f6c1c0560bd56cd2df856d459b7fe7fd63b2f635c35151f61d4d04ce4162
  • cb92d320fc9bc674e8d37ceeebf0363f8e96dd67ef4ef543b3348f96ef567e5f
  • bdb897e6a8bfc21302ae1ac254b1b2e779684fe75b2b824cb24c80c775898940
  • a4ec792538455fb56f0b89ae10ddd0b2504afba092ba5cfa2083cf61b5fac0ef
  • ad657479d9f6322daba65638523d65631ff83ba5a717261acb5a53fd48e52209
  • a334ba0d8ac0676d09e41aa273589ee27338c44a09109a4d5defa45f1d9bd82b
  • 9dea895b5b1c03caa2b838b8def4e082392851325794c3bd2eb5ca7372d8e09c
  • 8dc06fdc2897d7c3438105ea0a39d2074774f80e051007fe7799b8195580ad2f
  • 858d26e697bc60b642e5d92922b625f58532fc06f028962d8add5fa497981f33
  • 7f9909677c290b98541be176251eca34b9f3d36555669a2639130adb97ca6958
  • 7ab20d40431b990a9a44e96dc53519f0af72eaf56c4b20f8995f95a48039bf67
  • 5dc92a6ed1ef2a5d9cf2a112532ad2c9fd70bff727e4cb60cd5d9c4966f2f77f
  • 392d201120936c1f0e77bdb4b490f2825c1e6f584f18055c742b36250f89566b
  • 3e523ed80dbb592b1ff8c3345c3cd231ddd5a06e1af4c7b7d1f7f81249d0c4a3
  • 35e55053bed6b3c1027a3e7c140e67303e01e8fcbf42abac27b8e9df2a090ee3
  • 1a1c8cdac1c3cbae5f1140e850ee06b414259876dab97152669f7c0f93469b13
  • 00874ab2a91433dfbfdc9ee6ade6173f3280737fc81505504ace11273f640610
  • 91.183.104.24
  • 77.232.41.29
  • 185.228.234.237
Download all indicators here!

Attack Patterns

  • AndeLoader
  • Smokeloader

Additional Informations

  • Technology
  • Healthcare
  • Manufacturing
  • Taiwan

Linked vulnerabilities

CVE-2017-0199

None
Published:

CVE-2017-11882

None
Published: