New Smoke Loader Attack Targets Multiple Credentials

Discussion in '0-day Release' started by silversurfer, Jul 5, 2018.

  1. silversurfer

    silversurfer Malware Tester Silver Member

    A recently detected Smoke Loader infection campaign is attempting to steal credentials from a broad range of applications, including web browsers, email clients, and more.

    The attacks begin with malicious emails carrying a Word document as an attachment. Using social engineering, the attackers attempt to lure victims into opening the document and executing an embedded macro.

    Once executed, the macro initiates a second stage and downloads the TrickBot malware, which instead fetches the Smoke Loader backdoor, Cisco Talos reports.

    Smoke Loader has been long used as a downloader for various malware families, including banking Trojans, ransomware, and crypto-currency miners. In some of the previous campaigns, it was also used as a dropper for TrickBot, but it appears tables have turned now.

    “Smoke Loader has often dropped Trickbot as a payload. This sample flips the script, with our telemetry showing this Trickbot sample dropping Smoke Loader. This is likely an example of malware-as-a-service, with botnet operators charging money to install third-party malware on infected computers,” Talos says.

    Full Article:
    wwd, Der.Reisende, Trim and 1 other person like this.
  2. Google Adsense

Share This Page