SmokeLoader Malware Uses Weaponized 7z Archives to Deliver Infostealers

A recent malware campaign has been observed targeting the First Ukrainian International Bank (PUMB), utilizing a stealthy malware loader, Emmenhtal, in conjunction with the SmokeLoader malware.

This campaign demonstrates advanced tactics by financially motivated threat actors to distribute infostealers like CryptBot and Lumma Stealer.

The attack chain begins with weaponized 7z archives and culminates in the deployment of SmokeLoader, a modular malware known for its dynamic payload delivery capabilities.

The infection process involves a five-stage chain, starting with an email containing a malicious 7z archive named “Платiжна_iнструкция.7z” (translated as “Payment Instruction”).

The archive includes two files: a bait PDF mimicking legitimate banking documents and a URL shortcut that downloads additional payloads.

This approach capitalizes on social engineering to lure victims into executing the files.

Exploitation Through Living-Off-the-Land Techniques

Once the archive is extracted, the infection chain progresses through several stages.

The URL shortcut file retrieves a malicious LNK file from a remote server, which triggers PowerShell to execute obfuscated commands.

These commands utilize Mshta (Microsoft HTML Application) to run an embedded HTA script, leveraging legitimate Windows utilities in a technique known as Living-Off-the-Land Binaries and Scripts (LOLBAS).

This minimizes detection by security tools and enables fileless execution.

The Emmenhtal loader plays a pivotal role in this campaign, embedding malicious JavaScript within modified Windows binaries like DCCW.exe (Display Color Calibration Wizard).

This script decodes and executes additional payloads while maintaining stealth through obfuscation and anti-analysis measures.

SmokeLoader’s Modular Capabilities

At the final stage, SmokeLoader is deployed. This malware is renowned for its modular design, enabling it to:

• Download and execute additional malware
• Steal credentials from browsers and system memory
• Execute remote commands from command-and-control (C2) servers
• Evade detection through process injection and anti-debugging techniques

The analyzed SmokeLoader sample revealed extensive use of .NET Reactor for obfuscation and packing, further complicating detection and analysis.

Additionally, the malware exhibited anti-sandboxing measures by checking for virtualization tools like QEMU and VirtualBox.

According to the Report, this campaign underscores the evolving sophistication of malware delivery mechanisms.

By chaining Emmenhtal with SmokeLoader, attackers can dynamically deploy secondary payloads while evading detection through advanced techniques such as LOLBAS exploitation, code obfuscation, and anti-analysis strategies.

The use of weaponized 7z archives reflects an ongoing trend of leveraging archive-based evasion methods in cyberattacks.

Organizations are advised to strengthen their defenses by implementing endpoint detection and response (EDR) solutions, network monitoring tools, and zero-trust security frameworks.

Additionally, awareness of MITRE ATT&CK techniques such as PowerShell scripting (T1059.001) and Mshta execution (T1218.005) can aid in identifying similar threats.

This campaign highlights the importance of proactive cybersecurity measures to mitigate risks posed by increasingly sophisticated malware like SmokeLoader.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!