Dissecting SmokeLoader malware downloader and its activities

• It is mainly used to load other malware such as TrickBot banking trojan, AZORult info-stealer and Panda banking trojan.
• Apart from dropping malware, it has pretty hefty malware-like capabilities on its own.

SmokeLoader has been found to be active in major attack campaigns since it first appeared in 2011. According to the ‘Global Threat Index for December 2018’ report from Check Point, the global impact due to the malware had grown by 20 percent in 2018 after a surge of malicious activity in the Ukraine and Japan. It is mainly used to drop malware such as TrickBot banking trojan, AZORult info-stealer and Panda banking trojan.

Propagation and Capabilities

Smoke Loader is a small, modular bot that is mainly used to drop various other malware families. Apart from dropping malware, it has pretty hefty malware-like capabilities on its own. It is often distributed via spam campaigns and exploit kits. In March 2018, the malware was changed to circumvent new countermeasures deployed by Microsoft.

When Smoke Loader is installed, it replaces itself with recent updates from its C2 server to make its detection more difficult. The downloader malware also evades detection by changing the timestamp of its executable. To make analysis more difficult, Smoke Loader creates redundant traffic when communicating with its C2 server and sends requests to legitimate domains such as microsoft.com, bing.com and adobe.com.

Examples

• SmokeLoader downloader malware was used to distribute GlobeImposter ransomware in a resume-themed malspam campaign that took place in November 2018.
• In January 2018, the malware was pushed through fake Spectre and Meltdown patches. Post-infection, SmokeLoader was making attempting to connect with various domains and send encrypted information. It was used to retrieve additional payloads.
• In March 2018, the downloader malware was used by a backdoored Russian-based BitTorrent client, MediaGet, to infect 400,000 Russian and Turkish users. Here, the malware was used to install a Monero cryptocurrency mining malware.
• SmokeLoader trojan was used in targeted phishing attacks against Japanese users in December 2018. The phishing emails contained an alert from the Japanese Meteorological Agency regarding a Tsunami.

Many parts of the downloader malware have changed over the years, making it more significant for use among the hackers. However, the core feature that includes download and deployment of other modules - remains the same in SmokeLoader malware.