Smoke Loader (Backdoor) – Malware

Overview

Also known as Dofoil or Sharik, Smoke Loader is a backdoor targeting systems running Microsoft Windows. It is notorious for its use of deception and self-protection. It also comes with several plug-ins and has included a number of different payloads.

Threat actors have advertised this threat on underground forums since 2011. Primarily a loader with added information-stealing capabilities, Smoke Loader has been linked to Russian cybercrime operations and is readily available on Russian cybercrime forums.

Targets

Since it first appeared, reporting on Smoke Loader indicates that various groups have used it against different industries and organizations across the globe. These activities range from recent targeted cyberattacks in Ukraine to criminal activity resulting in Phobos ransomware infections.

Ukrainian officials have highlighted a surge in Smoke Loader attacks targeting the country’s financial institutions and government organizations. While Ukraine has seen a rise in Smoke Loader attacks, this malware remains a global threat and continues to be seen in multiple campaigns targeting other countries. However, this surge of attacks suggests a coordinated effort to disrupt Ukrainian systems and extract valuable data.

Techniques Used

The Smoke Loader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.

PROPagate Injection Technique

Smoke Loader utilizes the PROPagate code injection technique, a less common method that inserts malicious code into existing processes in order to appear legitimate and bypass traditional signature-based security measures. In the case of Smoke Loader, this technique exploits the Windows SetWindowsSubclass function, which is typically used to add or change the behavior of Windows Operation System. By manipulating this function, SmokeLoader can inject its code into other running processes. This not only helps to disguise the malware’s activity but also allows attackers to leverage the permissions and capabilities of the infected process.

Obfuscation Methods

SmokeLoader is known to employ several obfuscation techniques to evade the detection and analysis of security teams. The techniques include scrambling portable executable files, encrypting its malicious code, obfuscating API functions and packing, and are intended to make the malware’s code appear harmless or unremarkable to antivirus software. This allows attackers to slip past defenses and execute their malicious activities while remaining undetected.

Infection Vector and Communication

Smoke Loader typically spreads via phishing emails that employ social engineering tactics to convince users to unknowingly download malicious payloads and execute the malware. Once installed on target networks, Smoke Loader acts as a backdoor, allowing attackers to control infected systems and download further malicious payloads from command-and-control (C2) servers. SmokeLoader uses fast flux, a DNS technique utilized by botnets whereby IP addresses associated with C2 domains are rapidly changed, making it difficult to trace the source of the attack. This technique also boosts the resilience of attack, as taking down one or two malicious IP addresses will not significantly impact the botnet’s operation.

Continuous Evolution

As with many MaaS strains, Smoke Loader is continuously evolving, with its developers regularly adding new features and techniques to increase its effectiveness and evasiveness. This includes new obfuscation methods, injection techniques, and communication protocols. This constant evolution makes Smoke Loader a significant threat and underscores the importance of advanced threat detection and response capabilities solution. since it can download additional malware, it can act as a medium for other types of malware.

MITRE ATT&CK Techniques used by Smoke Loader:

• T1071.001 Application Layer Protocol – Web Protocols: Smoke Loader uses HTTP for C2.
• T1547.001 Boot or Logon Autostart Execution – Registry Run Keys / Startup Folder: Smoke Loader adds a Registry Run key for persistence and adds a script in the Startup folder to deploy the payload.
• T1059.005 Command and Scripting Interpreter – Visual Basic: Smoke Loader adds a Visual Basic script in the Startup folder to deploy the payload.
• T1555.003 Credentials from Password Stores – Credentials from Web Browsers: Smoke Loader searches for credentials stored from web browsers.
• T1140 Deobfuscate/Decode Files or Information: Smoke Loader deobfuscates its code.
• T1114.001 Email Collection – Local Email Collection: Smoke Loader searches through Outlook files and directories (e.g., inbox, sent, templates, drafts, archives, etc.).
• T1083 File and Directory Discovery: Smoke Loader recursively searches through directories for files.
• T1105 Ingress Tool Transfer: Smoke Loader downloads a new version of itself once it has installed. It also downloads additional plugins.
• T1027 Obfuscated Files or Information: Smoke Loader uses a simple one-byte XOR method to obfuscate values in the malware.
• T1055 Process Injection: Smoke Loader injects into the Internet Explorer process.
• T1055.012 Process Hollowing: Smoke Loader spawns a new copy of c:\windows\syswow64\explorer.exe and then replaces the executable code in memory with malware.
• T1053.005 Scheduled Task/Job – Scheduled Task: Smoke Loader launches a scheduled task.
• T1152.001 Unsecured Credentials – Credentials In Files: Smoke Loader searches for files named logins.json to parse for credentials.
• T1497.001 Virtualization/Sandbox Evasion – System Checks: Smoke Loader scans processes to perform anti-VM checks.

Significant Malware Campaigns

• New-looking Sundown EK drops Smoke Loader, Kronos banker (October 2016)
• Fake Spectre and Meltdown patch pushes Smoke Loader malware (January 2018)
• Analysis of Smoke Loader in New Tsunami Campaign (December 2018)
• Threat Thursday: Arkei Infostealer Expands Reach Using SmokeLoader to Target Crypto Wallets and MFA (February 2022)
• Amadey Bot Being Distributed Through SmokeLoader (July 2022)
• Life After Death—SmokeLoader Continues to Haunt Using Old Vulnerabilities (August 2022)
• Trellix Insights: SmokeLoader Exploits Old Vulnerabilities to Drop zgRAT (November 2022)
• Smoke Loader Malware Targets Financial Institutions (March 2024)

References:

• Smoke Loader
• Unit 42 Collaborative Research With Ukraine’s Cyber Agency To Uncover the Smoke Loader Backdoor
• No Smoke Without Fire: How Darktrace Extinguished the Threat of SmokeLoader Malware
• SmokeLoader Threat Review in 2024
• SmokeLoader Triage
• The Surge in Smokeloader attacks on ukranian institutions
• Going Deep | A Guide to Reversing Smoke Loader Malware
• The 2019 Resurgence of Smokeloader
• Smoking Guns – Smoke Loader learned new tricks
• Smoke Loader – downloader with a smokescreen still alive