03/31/2025

Smoked out - Emmenhtal spreads SmokeLoader malware

Smoked out - Emmenhtal spreads SmokeLoader malware

Introduction

Analysis by Lovely Antonio, Ricardo Pineda, and Louis Sorita

We observed a malicious campaign targeting First Ukrainian International Bank (pumb[.]ua) and noticed the usage of a stealthy malware loader known as Emmenhtal (sic! - this spelling refers to the HTA component of this loader, hence slightly unorthodox spelling "EmmenHTAl) also referred to by Google as Peaklight. This loader has been active since early 2024 and is primarily used by financially motivated threat actors to distribute commodity infostealers such as CryptBot and Lumma. In this campaign, we have observed that Emmenhtal Loader has been chained together with SmokeLoader malware, allowing threat actors to leverage its modular capabilities for deploying additional malware dynamically.

 

Infection chain

Stage 1: 7-Zip Delivery

The infection chain starts with an email claiming to confirm that a payment has been made. Attached to the email is a 7z archive file, named deceptively as ‘Платiжна_iнструкция.7z’ (translated as “Payment_instruction”) to trick victims into extracting and opening its contents.

In previous SmokeLoader campaigns, the threat actors exploited a 7-Zip zero-day vulnerability to bypass security checks using double-archived files, allowing malware execution. Although this campaign does not use the same exploit, it shows the attackers’ continued use of archive-based evasion techniques to deliver malicious payloads.

Stage 2: Downloader

Once extracted, the 7z archive contains two files:

  1. A bait PDF file designed to appear as legitimate banking documents as seen in Figure 3.1.
  2. A PDF shortcut that will download a file from a remote server as seen in Figure 3.2.

When opened, the internet shortcut file attempts to retrieve an additional file from 194[.]87[.]31[.]68[.]@80\Downloads\Document_main1.pdf.lnk

Stage 3: PowerShell + Mshta downloader

Upon execution of the downloaded .lnk file, the attack chain exploits the Target field to execute Mshta via PowerShell. Mshta (Microsoft HTML Application) is a built-in Windows tool used to execute HTML Applications and scripts (.HTA files). In this case, the legitimate Mshta file was used by the malware to download and execute another binary sample with malicious HTA script from a remote file server. This is a common LOLBAS (Living Off the Land Binaries and Scripts) technique, using legitimate applications such as utility tools present in the target computer that allows less to no footprint allowing fileless execution and minimal visibility.

Notably, the attack uses a modified version of DCCW.exe, which is a built-in Windows utility that stand for Display Color Calibration Wizard. The attackers modified DCCW.exe to act as a loader for the malicious script, making the attack look more legitimate.

Stage 4: Emmenhtal Loader

The Emmenhtal loader plays a key role in deploying SmokeLoader while maintaining a stealthy execution flow. The HTA script runs with the following configuration:

  • Application Caption: No
  • Window State: Minimize
  • Show in Taskbar: No

Upon execution from Mshta, it will interpret the first malicious JavaScript embedded just below the third DCCW code.

Upon execution from Mshta, it will interpret the first malicious JavaScript embedded just below the third DCCW code.

Mshta will also interpret the second embedded JavaScript which will trigger the execution of the hidden loaded payload variable from the firstJavaScript.

The executed variable (erc) contains another charCode encoded text/script which will be executed via wscript shell.

Decoded script leads to a PowerShell execution of another encoded PowerShell script with the following visible PowerShell command.

  • -w 1: Starts PowerShell in a hidden window (1 minimizes the window).
  • -ep Unrestricted: Sets the execution policy to Unrestricted, allowing all scripts to run.
  • -nop: No profile loading, reducing execution time and avoiding detection.

The decoded PowerShell script leads into the downloader function. It checks for the existence of two files, invoice1202.pdf and putty1202.exe, in the user's AppData directory. If found, it executes them; otherwise, it attempts to download new versions using an obfuscated WebClient object.

Subsequently, we used WireShark to check for any activities of the downloader. We noticed that there is an overlap in the observed activity between this particular case and Blustealer as well as Lumma.

Finally, we’ll reach to the downloading of two files: these two files suggest a phishing or social engineering component, where a seemingly harmless PDF or executable is used to deploy additional malware:

  1. invoce1202.pdf - Lure PDF
  2. putty1202.exe - SmokeLoader Malware

Stage 5: SmokeLoader

Analysis of the downloaded binary (Figures 11, 12 and 13) indicates that the file is a SmokeLoader malware. Aside from being a well-known loader, SmokeLoader is also a modular malware that has various capabilities such as:

  • Download and execute additional malware
  • Steal credentials from browsers and system memory
  • Execute remote commands from its command and control (C2) server
  • Evade detection by injecting itself into legitimate processes
  • Anti-analysis and anti-debugging techniques

One notable technique observed in this SmokeLoader sample is the use of .NET Reactor, a commercial .NET protection tool used for obfuscation and packing. While SmokeLoader has historically leveraged packers like Themida, Enigma Protector, and custom crypters, the use of .NET Reactor aligns with trends seen in other malware families, particularly stealers and loaders, due to its strong anti-analysis mechanisms.

Future & Prevalence of Emmenhtal Loader in Malware Distribution

The Emmenhtal Loader is part of an on-going trend in malware development that leverages LOLBAS techniques (PowerShell and Mshta) which attackers strongly favor due to its fileless execution on the victim’s endpoint. Initially focused on infostealers with the integration of Cryptbot and Lumma stealer, this recent SmokeLoader integration allows it to deploy secondary payloads while using advanced evasion techniques, code injection and anti-analysis. The availability of these feature-rich new loaders that are offered through Malware-as-a-Service (MaaS) enables threat actors to be more creative in customizing their attack chain.

Organizations should implement:  

  • Endpoint Security and Antivirus Solutions 
  • EDR/XDR solutions 
  • Network Monitoring 
  • Zero-Trust security 

MITRE TTPs:

Emmenhtal

  • Application Layer Protocol: Web Protocols - T1071
  • Obfuscated Files or Information: Encrypted/Encoded File – T1027
  • System Binary Proxy Execution: Mshta – T1218.005
  • Command and Scripting Interpreter: PowerShell – T1059.001

SmokeLoader

  • Hide Artifacts: NTFS File Attributes - T1564.004
  • Obfuscated Files or Information: Software Packing – T1045.002
  • Process Discovery – T1057

IOCs

 

Indicator

Hash

Detection

IP/URL

194[.]87[.]31[.]68

N/A

 

 

88[.]151[.]192[.]165

N/A

 

7z Archive

Платiжна_iнструкция.7z

3160da060f2392474cceee22eba65eb3ce6f8117e3fd84c606386c92bfc863bb

Archive.Trojan.Agent.KQF7ZV

URL Shortcut

Платiжна_iнструкция_UA623348510000000026006245119.url

dd510900d091a35f0ef6d906be087a1ae7969e3d75450cef475e1a032736cc20

 Script.Trojan.Agent.UNV96V

 LNK

Document_main1.pdf.lnk

a1706ec6772daa7a54c67117d5ce7b5fd5285f6245ad08f46b3b4176a7f1e021

Win32.Trojan.Agent.51JUUW

PDF

 

Додаток_ФОП_ПУМБ.pdf

537aa3ebc2b1cb9d43793e000dd5322ca780c7a274da5f46d5054b09196e2a1a

 

Invoce1202.pdf

N/A

 

Emmenhtal

main1

ae64762d044f4b108f2ff820c0744d199c4c33616af17c35c3634aef79c4e3ff

Win32.Trojan.Agent.XZVVJF

SmokeLoader

putty1202.exe

4ee62002f89dffa52405df9c082cba4d4dfa7de7a207cb3a3f37be76ca6454c4

MSIL.Trojan.Agent.HXJKZ7

loaded binary

ea3c8dbe0b30fb6d5c68eb55454b2a9471e8e21abb4343306445b4905370f51c

Win32.Trojan-Downloader.SmokeLoader. 2Z2GT4