SmokeLoader (Dofoil) continues to leverage aging vulnerabilities to deliver its payload via a crafted phishing email chain, decrypt an embedded OLE stream, and drop a final DLL payload that is associated with zgRAT. The campaign demonstrates how attackers rely on unpatched CVEs (CVE-2017-0199 and CVE-2017-11882) and multi-stage downloading to deploy additional malware. Hashtags: #SmokeLoader #Dofoil #zgRAT #sorathlions #afrocalite #192.227.129.26
Keypoints
- Phishing email lure uses a Purchase Order as the delivery vehicle to deliver the malicious Excel file (Purchase Order FG-20220629.xlsx).
- The Excel file hides an encrypted OLE stream that is decrypted with tools like oledump and msoffcrypto-crack.py, revealing the CVE-2017-0199 exploit stage.
- The attack chain moves from CVE-2017-0199 to a second vulnerability, CVE-2017-11882, via a decoy RTf file named receipt.doc.
- The payload after the exploit is vbc.exe, a .NET executable, which then downloads and deploys a heavily obfuscated DLL believed to be zgRAT.
- The final stage connects to a C2 infrastructure (e.g., sorathlions.com, dhemgldxkv.com, afrocalite.com) and retrieves additional components from 192.227.129.26 and related hosts.
- Fortinet protections are in place to detect these components (VBA/Agent.BMW!tr.dldr, MSOffice CVE exploits, and related signatures).
MITRE Techniques
- [T1566.001] Phishing – “an lure urging the recipient to review a purchase order and check for dates related to shipping times to ensure they are correct.”
- [T1203] Exploitation for Client Execution – CVE-2017-0199 is used to trigger code execution via an Office vulnerability; “This stage uses the first of the two exploits involved in this attack, CVE-2017-0199.”
- [T1105] Ingress Tool Transfer – The campaign downloads vbc.exe from a remote location to continue the infection chain; “The ‘receipt.doc’ file reaches out again to 192[.]227[.]129[.]26 and downloads vbc.exe. This is SmokeLoader.”
- [T1027] Obfuscated/Compressed Files and Information – The final DLL is heavily obfuscated; “The DLL is heavily obfuscated.”
- [T1036] Masquerading – The file is described as “WinRAR” (legitimate software) and the original/current file names do not match; “The file is described as ‘WinRAR’ (legitimate file compression and archiving software). In addition, the original and current file names do not match.”
- [T1105] Ingress Tool Transfer – Additional download activity to retrieve the final payload and its components (e.g., Vymxn_Zfbgctbp.jpg and subsequent DLL drop).
Indicators of Compromise
- [Filename] context – Purchase Order FG-20220629.xlsx, receipt.doc, vbc.exe, Vymxn_Zfbgctbp.jpg, Vymxn_Zfbgctbp.dll
- [SHA256] context – eef3295bada101787ae4f1ebc92e17fc2c6cd8c39389a745c45943a019637ca1, a1f59ebe9e8311267d831da649a8df44a3d747e9cf75e64a259b2fd917d2f587, 3223ae2c88753ce7268fa02213b76bdaf690ac37ec411ea8b7925c3b31e8822f, 104f88876b4d7c963d47afa63cfbb516d20e1cf9858d739f9c4023142b223fe2, 4e4e32f6259b82e6b932ab81172c22560ec2ac46e85543d4851637a63eaace3e
- [Network Domain] context – sorathlions.com, dhemgldxkv.com, afrocalite.com
- [IP Address] context – 108.60.212.220, 192.227.129.26
Read more: https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities