SmokeLoader Malware Detection: Notorious Loader Reemerges to Target Companies in Taiwan

The nefarious SmokeLoader malware resurfaces in the cyber threat arena targeting Taiwanese companies in multiple industry sectors, including manufacturing, healthcare, and IT. Typically used as a downloader for deploying other malicious samples, in the latest attack campaign, SmokeLoader executes the attack directly by retrieving plugins from its C2 server.

Detect SmokeLoader Malware

Almost 100 million new malicious strains were detected solely in 2024, highlighting the constantly growing threat landscape. To outscale existing and emerging threats, security professionals can rely on SOC Prime Platform for collective cyber defense offering the world’s largest library of detection algorithms backed by innovative solutions for advanced threat detection, automated threat hunting, and AI-powered detection engineering. 

To access a dedicated Sigma rules stack addressing the latest SmokeLoader attacks targeting Taiwanese organizations, click the Explore Detections button below. All the detections are aligned with MITRE ATT&CK® and provide in-depth cyber threat context for streamlined threat research, including CTI and other relevant metadata. Security engineers can also convert the detection code into 30+ SIEM, EDR, and Data Lake formats that match their security needs.

Explore Detections

Additionally, cyber defenders might dive into tactics, techniques, and procedures (TTPs) associated with the SmokeLoader attacks by exploring relevant detection rules accessible in the Threat Detection Marketplace by “AndeLoader,” “SmokeLoader” tags.

Security engineers can also leverage Uncoder AI to streamline the IOC packaging and retrospective analysis of adversaries’ TTPs seen in SmokeLoader attacks. Instantly convert IOCs from the corresponding research by Fortinet into tailored queries compatible with various SIEM, EDR, and Data Lake languages.

SmokeLoader Attack Analysis

FortiGuard Labs researchers recently uncovered a novel adversary campaign against Taiwanese organizations leveraging SmokeLoader malware. SmokeLoader, which emerged in the cyber threat landscape in 2011, has been notorious for its adaptability and sophisticated detection evasion capabilities. The malware is also noteworthy for its modular architecture, which enables it to execute various attacks. Typically functioning as a downloader for other malicious samples, in the latest offensive campaign distributing the SmokeLoader malware, the latter takes a more active role by launching the attack itself and fetching plugins from its C2 server.

The notorious loader belongs to the adversary toolkit of the financially motivated UAC-0006 group, which has been largely leveraged in multiple phishing campaigns against Ukraine throughout 2023-2024. 

The infection flow in the latest campaign against Taiwan starts with a phishing email delivering a Microsoft Excel attachment. When opened, the attachment weaponizes known vulnerabilities in Microsoft Office, such as CVE-2017-0199 and CVE-2017-11882, to install a malware loader known as Ande Loader, which subsequently deploys SmokeLoader on the affected systems. 

SmokeLoader comprises two key components: a stager and a main module. The stager’s role is to decrypt, decompress, and inject the main module into the explorer.exe process. The main module then takes over, ensuring persistence, establishing communication with the C2 infrastructure, and executing commands. In the recently observed campaign, the malware utilizes various plugins capable of extracting login credentials, FTP information, email addresses, cookies, and other sensitive data from applications such as web browsers, Outlook, Thunderbird, FileZilla, and WinSCP.

SmokeLoader’s high adaptability underscores the need for defenders to remain vigilant, even when dealing with well-known malware. To address these challenges, SOC Prime offers a complete product suite for AI-powered detection engineering, automated threat hunting, and advanced threat detection, helping security teams proactively thwart cyber attacks of any scale and sophistication.