Smoke Loader malware

45f6ca06-eec3-4ffc-9a71-7659da5cd9f7

 

The Smoke Loader malware downloader has recently resurfaced and now has been found to download a document containing malicious macros that then down load the Trickbot trojan.

According to a blog post by Cylance, its investigations uncovered two other samples of malware working with Smoke Loader: a document packed with malicious macros, and Trickbot, a banking Trojan.

They said that the initial step of the attack relies on a user opening and activating a document loaded with malicious macros. Once successful, the attack enters phase two, where Smoke Loader downloads and executes. Smoke Loader then downloads and executes the Trickbot banking Trojan.

The attack begins with an attachment posing as an invoice from a legitimate private company. When the file is opened, the reader is presented with an embedded image resembling an invoice and a warning alert.

Smoke Loader is primarily used to download other malware and in its tests it downloaded the banking Trojan, Trickbot. It found that while Smoke Loader and Trickbot perform separate functions, both files shared the same structure

Source: BleepingComputer

How do you protect yourself?

Proper security measures must be in place to defend against Smoke Loader malware and similar threats. Having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.

 

 

CVE-2018-12448

Threat Meter

 

Whale Browser before 1.3.48.4 displays no URL information but only a title of a web page on the browser’s address bar when visiting a non-http page, which allows an attacker to display a malicious web page with a fake domain name.

Source: Naver

How do you protect yourself?

Update Whale Browser to 1.3.48.4.

AZORult info stealer/downloader

Threat Meter

 

Cybercriminals began using a significantly updated version of the AZORult information stealer and downloader in an email phishing campaign just one day after the upgrade materialized on dark web underground forums on July 17.

The new model, version 3.2, is attempting to spread Hermes ransomware version 2.1 in the wild while also exfiltrating victim data and credentials. Moreover, the malware boasts improved stealing and loading capabilities, as well as support for various cryptocurrency wallets.

Such functionalities include the ability to “steal histories from non-Microsoft browsers; a conditional loader that checks certain parameters [including cookies and cryptocurrency wallets] before running the full malware; support for Exodus, Jaxx, Mist, Ethereum, Electrum, Electrum-LTC cryptocurrency wallets; the ability to use system proxies; and a few administrative tweaks, like location awareness and the ability to more easily delete spy reports that don’t have useful information,” Proofpoint reported in a blog post.

For the campaign to succeed, the potential victim must perform two tasks: open the password-protected document using the provided credentials, and enable embedded macros, which download AZORult 3.2.

Source: SC Media

How do you protect yourself?

Proper security measures must be in place to defend against AZORult and similar threats. Having proper up-to-date endpoint and firewall security provides a cross-generational blend of threat defense techniques to protect systems from  malware.