TECHNICAL ANALYSIS OF SMOKELOADER MALWARE

Risk Score: 8

Confidence Level: High

Suspected Malware: SmokeLoader Malware

Function: Mainly act to download other malware and as Information Stealer.

Threat actor Associations: Association with Russians

Other Malwares related to SmokeLoader: Dofoil

First Seen: August 2011 but also recently seen in October 2021.

Target Industry: Multiple

Target Countries: Multiple

SmokeLoader is primarily a loader, and its main objective is to download or load a stealthier or more effective malware into the system. First detected in 2011 and its functioning is highly complex, and it increases its capability by adding new tactics/techniques regularly and constantly evolving with time. You may guess the advancement of the SmokeLoader from the fact that it was the first malware that used the “Propagate DLL Injection Method” when just its POC was released by researchers.

SmokeLoader variants are used for the purpose of information stealing, botnet, backdoor as well. SmokeLoader has also been used to install/load cryptominers, ransomware, banking trojans, and point of sale (POS) malware. The functionality of the malware changes with the attack type or target and depends on the modules used by attackers as the SmokeLoader is modular in nature.

Earlier, the SmokeLoader was sold on dark-web portals by the name SmokeLdr and since 2014, it is sold only to Russian-based threat actors.

The SmokeLoader is distributed through malicious documents like word or pdf documents send either through spam emails or targeted spear-phishing attacks. Once the victim downloads and opens the malicious document, the malware drops to the system and in the next stage injects malicious code into a compromised system process like explorer.exe and starts its malicious activity in disguise as a legitimate process.

SmokeLoader has been evolved over time and has the following capabilities:

1. Act as a downloader for other malware like ransomware.
2. Stealing confidential information.
3. System and Network Reconnaissance.
4. Multiple advance anti-debugging and analysis detection techniques.
5. Anti-Sandbox, Anti-VM, and Anti-Hooking techniques.
6. Code obfuscation techniques to thwart analysis.
7. Decrypts code prior to execution and encrypts again after execution.
8. Capability to encrypt payloads and network traffic.
9. Implementation of Propagate DLL Injection method to compromise legitimate processes like explorer.exe.
10. Provide Persistence.
11. Command and Control Functionality.

Initial Analysis:

File Details: As shown in Figure1, the following are the details related to the malware SmokeLoader.

File Type: Windows PE-32 Executable

MD5: 6a8f92ba4df2ba5415cd1fd97fcb87da

SHA256: fa611609c25485e53c73a059ae49eb25b8650727b0cf0d62ae4f72642e1b3d49

Subsystem: GUI

Compilation Time: March 2021

Figure1: Basic Information

Figure1 above shows the basic information related to our malicious file, its hashes, it has Microfoft Visual C++ code and is a 32 bit PE executable. Further, the subsystem is GUI and has a compilation time of March 2021 which is quite recent.

Figure2: Sections

Figure2 above shows the sections present in our malware. All are looking quite normal imported by the malware except .rotuge section which is a suspicious ad when we checked it as shown in Figure3 given below. It is all empty which gives us an indication that may be used by malware later to store and access some code here.

Figure3:

Figure4: Libraries

Figure4 above shows the libraries used by the malware, kernel32.dll used for core functionality such as access and manipulation of memory and gdi32.dll used for displaying and manipulating graphics.

Figure5: Imports/APIs

Figure5 shows above the APIs imported by the malware and indicates towards all the capabilities which we have mentioned earlier can be present int the SmokeLoader.

MITRE Attack Techniques: