Advanced Persistent Threat (APT) Attack targeting the Biomanufacturing industry - Overview and Proposed Response Actions for DIB organizations

Since January 2020, a proliferation of malware and variants has been targeting the bioeconomy.  The malware is delivered by a popular ‘loader’ application called SmokeLoader, which is designed to affect both Windows machines and servers. 

Tardigrade is a variant of the SmokeLoader malware loader family and targets Windows platforms.  It is a mechanism used to download other viruses onto infected machines, but it also has ‘virus-like’ properties that can be very damaging to an information system.  The SmokeLoader virus is typically delivered via a social engineering or phishing attack through a spam email campaign.  The email will contain a malicious Microsoft Word attachment that embeds the SmokeLoader executable.  Once a user downloads the file, the program will trick them into enabling macros, which will, in turn, install the malware. 

As a result of its generic footprint and delivery mechanisms (e.g., email via Phishing attacks and MS Office products), it has historically affected systems/networks in other industries.  SmokeLoader was first observed in 2011, being sold on the dark web by a member named SmokeLdr.  The malware functionality varies from one attack to another and depends on the modules an adversary enables.  The first attack against the biomanufacturing industry occurred in 2020, targeting Tissue Regenix (a regenerative medical device company).  Most recently, attacks against both Moderna and Pfizer have been recorded. 

The primary goal of the malware is to steal information covertly and avoid detection.  It employs many advanced techniques that can only be detected through forensic examination of a potentially infected system.  However, since it almost always similarly infects systems, it can be relatively easily identified by its execution process.  First, the virus will inject itself into a Windows system process such as ‘explorer.exe’.  A list of standard Windows system processes can be found here Windows System Processes. After this rogue system process is launched, it will create another executable file called ‘tesrdgeh.exe’ - which is the first indication of a SmokeLoader virus. 

It is important to note that the Tardigrade variant of this virus is metamorphic.  As a result, it will be much more challenging to detect, as it is designed to change its behavior in response to certain ‘environmental’ triggers.  Thus, the best course of action is to identify your critical systems that could be potentially affected and monitor those with extreme vigilance.  BIOISAC (an international organization that addresses threats unique to the bioeconomy) has provided additional information here.