SmokeLoader attack targets organizations in Taiwan

FlyD via Unsplash

Fortinet’s FortiGuard Labs released research detailing an observed attack deploying the SmokeLoader malware to target organizations in Tawian, particularly in sectors like manufacturing, healthcare and information technology. Casey Ellis, Founder and Advisor at Bugcrowd, remarks, “Given the geo-political environment, Taiwan is no stranger to thinking about Advanced Persistent Threats (APTs). The use of SmokeLoader does seem to follow suit with the general trend of pre-positioning that we have seen in other parts of the world.”

SmokeLoader is an adaptable, modular malware that can be utilized for a variety of needs. While SmokeLoader is typically used as a downloader to deliver malware, the research shows that in this case, it is used to download plugins from its C2 server to carry out the attack itself. Microsoft Windows platforms are primarily affected by this attack campaign, in which information can be stolen and leveraged in a later attack.

John Bambenek, President at Bambenek Consulting, comments, “This particular campaign uses exploits in native Office from 2017 (as opposed to Office 365) and is a reminder that even though tools may be end-or-life’d by the software manufacturer, they may still remain in use and be exploited by attackers. Not everywhere in the world is it possible to have a three year technology refresh cycle. For organizations that have to use dated software, it becomes more important to have strong endpoint detection tools that can detect malware like SmokeLoader, or detects the exploitation behavior that leads the malware to be delivered in the first place.”

Callie Guenther, Senior Manager, Cyber Threat Research at Critical Start, adds, “The SmokeLoader campaign targeting Taiwanese industries reflects a strategic focus on sectors critical to national infrastructure and economic stability. The use of modular malware like SmokeLoader, coupled with phishing vectors and exploitation of legacy Office vulnerabilities, highlights a calculated attempt to infiltrate supply chains and exfiltrate sensitive data for long-term strategic gains, potentially enabling follow-on attacks. This campaign underscores a trend of leveraging versatile malware for reconnaissance and persistence in high-value environments.”

Guenther offers the following recommendations for security teams:

“Threat hunting: Actively search for IOCs related to SmokeLoader in network logs and endpoints, focusing on unusual C2 communications and known hash values.
“Supply chain risk assessment: Ensure supply chain partners and vendors are adhering to robust cybersecurity practices to mitigate risks of lateral compromise.
“Incident readiness: Enhance response playbooks for modular malware incidents, including containment, forensic analysis, and communication protocols with impacted stakeholders.”

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Jordyn Alger is the managing editor for Security magazine. Alger writes for topics such as physical security and cyber security and publishes online news stories about leaders in the security industry. She is also responsible for multimedia content and social media posts. Alger graduated in 2021 with a BA in English – Specialization in Writing from the University of Michigan. Image courtesy of Alger

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.