SmokeLoader picks up ancient MS Office bugs to pack fresh credential stealer
Dec. 3, 2024, 10:57 p.m.
Tags
External References
Description
Threat actors are exploiting old Microsoft Office vulnerabilities using SmokeLoader, a modular malware loader, to steal browser credentials. The campaign targets manufacturing, healthcare, and IT companies in Taiwan, utilizing CVE-2017-0199 and CVE-2017-11882 to execute remote code and deploy malicious payloads. SmokeLoader, typically used to deliver other malware, is now employing its own plugins for credential theft. The attack involves phishing emails with malicious attachments, exploiting the MS Office flaws to download and execute harmful plugins. FortiGuard Labs has identified nine different plugins used to steal various types of credentials and sensitive data from browsers and email software.
Date
Published: Dec. 3, 2024, 6:15 p.m.
Created: Dec. 3, 2024, 6:15 p.m.
Modified: Dec. 3, 2024, 10:57 p.m.
Indicators
fbe226dd0130c3c0c4db9d125cd25eca3c8e310dae8127d15c8be18041d41cd6
f7544f07b4468e38e36607b5ac5b3835eac1487e7d16dd52ca882b3d021c19b6
fb6ef14ac4cebf87f937f15553575f0f62ac62df917b490f602025a0985addd1
f4b16c3f8bff445fdcd9d7edb5883d20d7663c3744e137439fa961736d0a9471
eb8381b156aad734ef3a0328b4985ed1edeca1c8d79d66e094598f8c6992ac71
ea3b07a2356a7bfb92144f621ba551677a138c31d684072d69a4d37c1a378bb3
e3e7a3d0ba55b8dbbe3633b1dad0a3bbf4eada72dd8df3f7b1bc76a692862f23
e29c269a4c3ee4bbd673bfe0d24ca7d131d9221607e26a60989e81d8ffc17095
cfe7f6c1c0560bd56cd2df856d459b7fe7fd63b2f635c35151f61d4d04ce4162
cb92d320fc9bc674e8d37ceeebf0363f8e96dd67ef4ef543b3348f96ef567e5f
bdb897e6a8bfc21302ae1ac254b1b2e779684fe75b2b824cb24c80c775898940
a4ec792538455fb56f0b89ae10ddd0b2504afba092ba5cfa2083cf61b5fac0ef
ad657479d9f6322daba65638523d65631ff83ba5a717261acb5a53fd48e52209
a334ba0d8ac0676d09e41aa273589ee27338c44a09109a4d5defa45f1d9bd82b
9dea895b5b1c03caa2b838b8def4e082392851325794c3bd2eb5ca7372d8e09c
8dc06fdc2897d7c3438105ea0a39d2074774f80e051007fe7799b8195580ad2f
858d26e697bc60b642e5d92922b625f58532fc06f028962d8add5fa497981f33
7f9909677c290b98541be176251eca34b9f3d36555669a2639130adb97ca6958
7ab20d40431b990a9a44e96dc53519f0af72eaf56c4b20f8995f95a48039bf67
5dc92a6ed1ef2a5d9cf2a112532ad2c9fd70bff727e4cb60cd5d9c4966f2f77f
392d201120936c1f0e77bdb4b490f2825c1e6f584f18055c742b36250f89566b
3e523ed80dbb592b1ff8c3345c3cd231ddd5a06e1af4c7b7d1f7f81249d0c4a3
35e55053bed6b3c1027a3e7c140e67303e01e8fcbf42abac27b8e9df2a090ee3
1a1c8cdac1c3cbae5f1140e850ee06b414259876dab97152669f7c0f93469b13
00874ab2a91433dfbfdc9ee6ade6173f3280737fc81505504ace11273f640610
91.183.104.24
77.232.41.29
185.228.234.237
Attack Patterns
AndeLoader
Smokeloader
T1193
T1059.005
T1114
T1056.001
T1555
T1204.002
T1547
T1055
T1566
CVE-2017-11882
CVE-2017-0199
Additional Informations
Technology
Healthcare
Manufacturing
Taiwan