Cisco Security Experts Describe New Attack Vector for Old Malware

Security experts from Cisco’s Talos Comprehensive Threat Intelligence labs are issuing a warning about a new attack vector that a fairly old piece of malware has decided to exploit. Smoke Loader, a notorious application package that was among the first to use PROPagate to inject code into systems, has apparently been targeting Microsoft Windows machines for several months.

PROPagate was originally discovered in October 2017, so it represents a fairly new way to target Windows installations. However, Smoke Loader has been around since at least 2011. The current version has evolved considerably, and some of the recent outbreaks have been as a result of fake patches that claimed to correct the Meltdown and Spectre exploits.

Smoke Loader itself is usually used by a cracker to download malware. It generally uses infested Office documents attached to email as a method of gaining control of systems.

Opening the attachment on an insecure system can drop and then execute additional malware. Some of the worst cases in June included ransomware, however it now appears that compromising a CPU to execute cryptomining code is more common heading into the second week of July.

Cisco experts found emails titled “Your Sage subscription invoice is due”, which was more than likely to get people to open them thinking they might have something to do with a popular business accounting application many companies deploy.

It doesn’t seem like Linux security experts have any reports of these attachments compromising Unix boxes, which includes those that have the Wine application compatibility layer running on them. This could be because the attachment usually wouldn’t open in Word even on these machines, though GNU/Linux users are still encouraged to exercise caution when opening attachments like this.

Sage as well as other software-as-a-service subscription groups usually wouldn’t send a Word file as an attachment anyway, which should raise red flags to those who receive these emails. macOS users also have not seemed to report any problems as of yet, nor have any using any Unix-based mobile operating systems.

As some security researchers refer to Smoke Loader as Dofoil, there is some confusion at the time of this writing over what piece of malware is actually responsible for executing arbitrary code. Nevertheless, it does seem that these are merely different terms to refer to the same infection.

Kamil Anwar
Kamil is a certified MCITP, CCNA (W), CCNA (S) and a former British Computer Society Member with over 9 years of experience Configuring, Deploying and Managing Switches, Firewalls and Domain Controllers also an old-school still active on FreeNode.