{
	"id": "b089c241-f373-4e0e-8a94-72f9cce5fa3d",
	"created_at": "2026-04-06T00:14:52.366995Z",
	"updated_at": "2026-04-10T13:13:07.037547Z",
	"deleted_at": null,
	"sha1_hash": "4e75798cc1a48fcca89d1ce982e2dfa0a39a1cbe",
	"title": "Life After Death—SmokeLoader Continues to Haunt Using Old Vulnerabilities",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 910036,
	"plain_text": "Life After Death—SmokeLoader Continues to Haunt Using Old\r\nVulnerabilities\r\nBy James Slaughter\r\nPublished: 2022-08-09 · Archived: 2026-04-05 14:49:32 UTC\r\nVulnerability management and remediation are some of the most difficult problems to tackle within an\r\norganization. Multiple solutions, watchlists, and warnings are designed to ensure that companies and end users\r\npatch their software against known security vulnerabilities.\r\nUnfortunately, even with tools available and teams forewarned with up-to-date information, this often does not\r\nhappen in a timely manner or even at all. This is usually due to outdated software, overworked teams, or even\r\nnegligence or incompetence—and threat actors know this. Patching is often mundane and tedious work.\r\nOrganizations that are either late, inconsistent, or sloppy in applying patches often become victims by presenting\r\nan opening to threat actors searching for an exploitable foothold.\r\nCase in point, CVE-2017-0199 and CVE-2017-11882 are almost over five years old, but they are still being\r\nexploited. Worse, both vulnerabilities have had official patches for some time, yet they continue to be exploited.\r\nIn this blog, we will examine a recent instance of SmokeLoader, a malware variant that exploits both of these\r\nCVEs in its deployment chain. SmokeLoader (also known as Dofoil) has been available on the market in one form\r\nor another since 2011. Its primary purpose is to support the distribution of other malware families, such as\r\nTrickbot. This latest sample drops zgRAT, a somewhat rare payload compared to what SmokeLoader usually\r\ndelivers.\r\nAffected Platforms: Windows\r\nImpacted Users: Windows users\r\nImpact: Potential to deploy additional malware for additional purposes\r\nSeverity Level: Medium\r\nLooking at each element of the attack\r\nI will examine each attack element in the following sections, including the initial email, attachments, and\r\nexecutables.\r\nThe phishing email\r\nLike many phishing stories, this one starts with a lure urging the recipient to review a purchase order and check\r\nfor dates related to shipping times to ensure they are correct. This email was sent to a webmail address hosted by a\r\nlarge telecommunications company in Taiwan. The phishing email’s sender also used this service, making it\r\nimpossible to trace the precise origin of the message. Oddly, and perhaps a tell that this is a phishing attempt, the\r\nsender spoofed the recipient’s address and used it as the sending address.\r\nhttps://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities\r\nPage 1 of 12\n\nThe body text is a mix of Chinese and English and goes to some degree of trouble to look as legitimate as\r\npossible, showing a full signature with contact details.\r\nFigure 1. Phishing email.\r\nhttps://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities\r\nPage 2 of 12\n\nFigure 2. Phishing email translation to English.\r\nAs shown in Figure 1, the file “Purchase Order FG-20220629.xlsx” is attached to the email. Opening this file\r\nbegins the process of infection.\r\nPurchase Order FG-20220629.xlsx\r\nhttps://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities\r\nPage 3 of 12\n\nFigure 3. Spreadsheet as it would appear to the recipient.\r\nWhen opened, the recipient is presented with a fairly standard view of a pixelated image and faux Microsoft\r\ninstructions on viewing protected content.\r\nGiven there aren’t any macros, a closer look at the internals of the spreadsheet is needed. The lock icon for Sheet2\r\nshows that there is likely an encrypted or protected sheet. A tool like oledump from Didier Stevens can help in a\r\nsituation like this.\r\nFigure 4. oledump output showing an encrypted stream.\r\nAfter running oledump, it becomes evident that there is an encrypted stream in the file that most likely includes\r\nsome details of interest. Another tool by Didier Stevens – msoffcrypto-crack.py – can be checked for obvious and\r\nwell-used passwords.\r\nFigure 5. msoffcrypto-crack.py output showing the password of the file.\r\nIn this instance, a return of “VelvetSweatshop” is given. This is interesting as this is effectively a default document\r\npassword recognized by Excel. It allows data to be encrypted but won’t prompt a user to enter a password to\r\naccess the file.\r\nBy combining the two tools mentioned above using a pipe (“|”), the full decrypted scope of the OLE stream in\r\nquestion is provided, and the target of the next stage of the attack is shown. This stage uses the first of the two\r\nhttps://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities\r\nPage 4 of 12\n\nexploits involved in this attack, CVE-2017-0199. It also includes an embedded link that will attempt to download\r\nthe file “receipt.doc” from 192[.]227[.]129[.]26\r\nFigure 6. The ultimate target for the spreadsheet after exploiting CVE-2017-0199.\r\nFigure 7. Oddities in the file evident from the Exif data.\r\nInitial analysis of “receipt.doc” turns up some interesting oddities. As shown in Figure 7, Exiftool (a tool for\r\nexamining file metadata) returns an error when run against “receipt.doc”. Opening the file and viewing it directly\r\nshows the scope of what is being attempted. \r\nhttps://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities\r\nPage 5 of 12\n\nFigure 8. “receipt.doc” as it would appear to anyone viewing it.\r\nIt becomes immediately apparent that this file is not a Microsoft Word document. Instead, it is a Rich Text File\r\n(RTF). This file is designed to take advantage of the second of the two vulnerabilities mention, CVE-2017-11882,\r\na stack overflow vulnerability in the Microsoft Equation Editor that enables remote code execution on a\r\nvulnerable system.\r\nFigure 9. The ultimate target for the spreadsheet after exploiting CVE-2017-11882.\r\nThe “receipt.doc” file reaches out again to 192[.]227[.]129[.]26 and downloads vbc.exe. This is SmokeLoader.\r\nvbc.exe\r\nStarting at the beginning with “vbc.exe” and viewing its details as seen by the operating system, this file presents\r\nitself as a Microsoft .NET executable.\r\nhttps://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities\r\nPage 6 of 12\n\nFigure 10. Basic executable details for “vbc.exe”.\r\nA review of the metadata for the file shows a basic level of misdirection.\r\nFigure 11. Exif data showing “vbc.exe” obfuscating its true purpose.\r\nThe file is described as “WinRAR” (legitimate file compression and archiving software). In addition, the original\r\nand current file names do not match, which is highly suspicious given the circumstances up to this point.\r\nViewing the executable in a .NET debugger or IDE offers more explicit details on what the program attempts to\r\ndo and how. \r\nhttps://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities\r\nPage 7 of 12\n\nFigure 12. The ultimate target for “vbc.exe”.\r\nAn attempt to connect to the URL “sorathlions[.]com/wp-content/Vymxn_Zfbgctbp[.]jpg” will be made.\r\nFigure 13. Packet capture showing multiple connections over a very short period.\r\nIf a connection cannot be made, numerous retries occur. However, they are done at a very fast rate (several per\r\nminute) that would present a detection opportunity given the uncharacteristic and ceaseless attempts to connect to\r\nthis location.\r\nFigure 14. If “vbc.exe” successfully connects to its C2, it will execute the above command.\r\nA successful connection will pull the file “Vymxn_Zfbgctbp.jpg” from its remote location, and the command in\r\nFigure 14 will be executed.\r\nVymxn_Zfbgctbp.jpg\r\nThe code in Figures 12 and 14 indicates that “Vymxn_Zfbgctbp.jpg” may not be an image file as claimed.\r\nhttps://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities\r\nPage 8 of 12\n\nFigure 15. Exif data confirms that “Vymxn_Zfbgctbp.jpg” is not an image.\r\nA review of the file’s metadata shows that it appears to be a compressed GZip archive. Figure 12 appears to bear\r\nthis out, with the code to decompress the file in memory. In the absence of that, the file can be decompressed\r\nmanually using common tools like 7Zip.\r\nFigure 16. Demonstrating “Vymxn_Zfbgctbp.jpg” can be decompressed manually.\r\nFigure 17. The final file to be dropped is a DLL.\r\nAs Figure 17 shows, the file that gets dropped is a .NET DLL that would be executed by “vbc.exe”.\r\nDLL\r\nThe DLL is heavily obfuscated. However, it’s still possible to pick out the primary namespace, class,  and entry\r\nfunction.\r\nhttps://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities\r\nPage 9 of 12\n\nFigure 18. Primary namespace.\r\nBased on some of the non-obfuscated strings in this DLL, FortiGuard Labs believes this sample is zgRAT.\r\nSamples of zgRAT date back to 2021. It is a somewhat rare malware variant compared to other more established\r\nlines.\r\nThis particular sample makes no effort to communicate out and mostly idles without taking any further offensive\r\naction.\r\nConclusion\r\nWhile CVE-2017-0199 and CVE-2017-11882 were discovered in 2017, they are still being actively exploited in\r\nthis and other malware campaigns. This demonstrates that malware authors still achieve their aims by relying on\r\naging vulnerabilities, often several years after coming to light, and banking on affected solutions not being fixed.  \r\nThe staying power of SmokeLoader, shown by its relative longevity compared to other threats, shows no signs of\r\nslowing down for the foreseeable future.\r\nFortinet Protections\r\nThe samples mentioned in this blog are detected by the following (AV) signatures:\r\nVBA/Agent.BMW!tr.dldr\r\nMSOffice/CVE_2017_11882.B!exploit\r\nMSIL/Agent.MJR!tr.dldr\r\nMSIL/Injector.VZX!tr\r\nFortiGuard IPS protects against all known exploits associated with the CVE-2017-0199 with the following\r\nsignature:\r\n                MS.Office.RTF.File.OLE.autolink.Code.Execution\r\nhttps://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities\r\nPage 10 of 12\n\nFortiGuard IPS protects against all known exploits associated with the CVE-2017-11882 with the following\r\nsignature:\r\nMS.Office.EQNEDT32.EXE.Equation.Parsing.Memory.Corruption\r\nAll network-based URIs are blocked by the WebFiltering client.\r\nFortinet has multiple solutions designed to help train users to understand and detect phishing threats:\r\nThe FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness\r\nand vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted\r\nphishing attacks.\r\nIn addition to these protections, we suggest that organizations also have their end users go through our FREE NSE\r\ntraining: NSE 1 – Information Security Awareness. It includes a module on Internet threats designed to help end\r\nusers learn how to identify and protect themselves from various types of phishing attacks.\r\nIOCs:\r\nFilename SHA256\r\nPurchase Order FG-20220629.xlsx\r\neef3295bada101787ae4f1ebc92e17fc2c6cd8c39389a745c45943a019637ca1\r\nreceipt.doc a1f59ebe9e8311267d831da649a8df44a3d747e9cf75e64a259b2fd917d2f587\r\nvbc.exe 3223ae2c88753ce7268fa02213b76bdaf690ac37ec411ea8b7925c3b31e8822f\r\nVymxn_Zfbgctbp.jpg 104f88876b4d7c963d47afa63cfbb516d20e1cf9858d739f9c4023142b223fe2\r\nVymxn_Zfbgctbp.dll 4e4e32f6259b82e6b932ab81172c22560ec2ac46e85543d4851637a63eaace3e\r\nNetwork IOCs:\r\nsorathlions[.]com\r\nhttps://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities\r\nPage 11 of 12\n\ndhemgldxkv[.]com\r\nafrocalite[.]com\r\n108[.]60[.]212[.]220\r\nLearn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard\r\nSecurity Subscriptions and Services portfolio.\r\nSource: https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities\r\nhttps://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities"
	],
	"report_names": [
		"smokeloader-using-old-vulnerabilities"
	],
	"threat_actors": [
		{
			"id": "b740943a-da51-4133-855b-df29822531ea",
			"created_at": "2022-10-25T15:50:23.604126Z",
			"updated_at": "2026-04-10T02:00:05.259593Z",
			"deleted_at": null,
			"main_name": "Equation",
			"aliases": [
				"Equation"
			],
			"source_name": "MITRE:Equation",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434492,
	"ts_updated_at": 1775826787,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4e75798cc1a48fcca89d1ce982e2dfa0a39a1cbe.pdf",
		"text": "https://archive.orkl.eu/4e75798cc1a48fcca89d1ce982e2dfa0a39a1cbe.txt",
		"img": "https://archive.orkl.eu/4e75798cc1a48fcca89d1ce982e2dfa0a39a1cbe.jpg"
	}
}