SmokeLoader Malware Campaign: How Cybercriminals Are Distributing Infostealers via Malicious Archives

By /

Listen to this Post

A new cyber campaign has emerged, leveraging SmokeLoader, a modular malware, to distribute infostealers like CryptBot and Lumma. Threat actors are utilizing malicious 7z archive files in phishing emails to evade detection and deploy their malware through a sophisticated infection chain. By using the Emmenhtal Loader, attackers ensure fileless execution and advanced evasion techniques, making detection and mitigation more difficult.

This campaign highlights the increasing adaptability of cybercriminals, who are exploiting legitimate system utilities and Living Off the Land Binaries and Scripts (LOLBAS) techniques. The goal? To slip past traditional security measures while infecting unsuspecting victims.

Infection Chain Overview

The attack follows a multi-stage infection process:

1. Phishing Emails as the Entry Point

  • Malicious emails contain deceptive 7z archive files named “Платiжна_iнструкция.7z” (translated as “Payment Instruction”).
  • These archives include a bait PDF and a URL shortcut leading to further downloads.

2. Downloader Execution

  • The shortcut fetches a malicious LNK file from a remote server.
  • This LNK file acts as a disguised document but triggers PowerShell scripts upon execution.

3. Fileless Execution via LOLBAS

  • PowerShell launches Mshta (Microsoft HTML Application), executing an HTA script hidden in a legitimate Windows utility (DCCW.exe).
  • Attackers use these trusted system utilities to minimize detection by antivirus solutions.

4. SmokeLoader Deployment

  • The Emmenhtal Loader, a stealthy intermediary, ensures malware deployment without raising suspicion.
  • It embeds obfuscated JavaScript into legitimate executables, allowing SmokeLoader to be executed dynamically.

SmokeLoader’s Capabilities

Once deployed, SmokeLoader acts as a powerful malware loader, enabling further malicious activity:

  • Downloads & Executes Additional Malware: Infostealers like CryptBot and Lumma are installed.
  • Credential Theft: Sensitive information is extracted from browsers and system memory.
  • Process Injection: The malware hides within legitimate processes to evade detection.
  • Remote Command Execution: It connects to command-and-control (C2) servers for further instructions.
  • Anti-Analysis Techniques: Obfuscation and sandbox evasion prevent researchers from dissecting its behavior.

The combination of Emmenhtal Loader’s stealthy execution and SmokeLoader’s modular design makes this campaign particularly dangerous. By leveraging LOLBAS tactics, attackers are making traditional security tools ineffective.

What Undercode Says:

This campaign reflects a broader trend in cybercrime—threat actors are adopting stealthier techniques to bypass security solutions. Here’s a deeper analysis of why this attack is significant:

1. The Growing Use of Fileless Malware

Traditional antivirus solutions rely on detecting known malicious files. However, fileless malware like this campaign’s PowerShell and HTA-based execution leaves no obvious files behind. This trend forces organizations to adopt behavior-based detection rather than relying solely on signature-based solutions.

2. The Role of LOLBAS in Malware Distribution

The abuse of legitimate Windows utilities (such as Mshta and DCCW.exe) is a key part of this attack. These utilities are signed by Microsoft, making them less likely to be flagged by security software. This method significantly reduces the chance of detection.

3. Adaptability in Delivery Tactics

The attackers’ use of 7z archive files as a delivery method is particularly noteworthy. While 7z files have been linked to zero-day vulnerabilities in the past, this campaign doesn’t exploit any new ones. Instead, the use of archives helps evade detection by security filters that might block traditional executable attachments.

4. SmokeLoader’s Evolution

SmokeLoader has been in use for years, but its modular design allows cybercriminals to update and modify its functionality over time. The ability to download and execute new payloads on demand makes it an adaptable and long-term threat.

5. The Malware-as-a-Service (MaaS) Economy

The rise of MaaS platforms enables even low-skilled attackers to deploy sophisticated malware. This campaign exemplifies how cybercriminals can purchase and use pre-built tools rather than developing their own from scratch. This lowers the entry barrier for cybercrime.

6. Preventing Such Attacks

Given the advanced techniques used, organizations must strengthen their defenses:
– Endpoint Detection & Response (EDR/XDR): Helps detect fileless malware behavior.
– Zero-Trust Security Models: Ensures strict access controls and network segmentation.
– Employee Awareness Training: Educating users on phishing risks can prevent initial infections.
– Network Traffic Monitoring: Detects unusual outbound connections to potential C2 servers.

This campaign is a stark reminder that cyber threats continue to evolve. Security teams must move beyond traditional defenses and adopt more proactive cybersecurity measures to stay ahead of attackers.

Fact Checker Results:

  1. Legitimate Windows Tools Are Being Abused – The campaign exploits Mshta and DCCW.exe, which are official Windows utilities. This makes detection challenging.

  2. No Zero-Day Exploit Was Used – While 7z files were previously linked to zero-day vulnerabilities, this attack does not rely on any newly discovered exploits.

  3. The Attack Chain Is Multi-Layered – The infection progresses through multiple stages, each designed to maintain stealth and persistence, making it harder to detect and stop.

References:

Reported By: https://cyberpress.org/smokeloader-spreads-infostealers/
Extra Source Hub:
https://stackoverflow.com
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Explore More: