Cylance vs. Smoke Loader and the Trickbot Trojan

When three outlaws appear on the horizon, with horses and weapons outlined in the crimson sunset, it’s usually time to get out of Dodge. At the Cylance research lab it’s merely time to round up the bandits and dismantle them down to their machine code. This week, Cylance investigates three unique malware variants found travelling together. The members of this dubious malware triad include:

  • A deceptive document loaded with malicious macros
  • Smoke Loader, a popular malware downloader
  • Trickbot, an information stealing banking Trojan

Can this rag-tag malware gang prove more effective than the infamous solo threats which dominated headlines in 2017? Our research team answers this and other questions in our triple threat breakdown.

VIDEO: Cylance vs. Smoke Loader Triple Threat

Cylance Threat Research describes the three malware components in greater detail within this week’s Threat Spotlight blog.

The attack begins with an attachment posing as an invoice from a legitimate private company. When the file is opened the reader is presented with a document containing the following image:

Figure 1: Malicious document prompts user to enable macros, allowing it to begin operations

A savvy observer will notice both the invoice and the warning are a picture pasted within the document. The MS Word warning is not actually triggered when the file is opened. Less observant users may be fooled into enabling macros by the fake warning, a move that brings dire consequences.

The document hides sixteen separate, malicious macros:

These macros invoke various PowerShell instructions, including one which saves a randomly named .BAT file in the %temp% folder. Successful execution of the macros and PowerShell instructions results in Smoke Loader malware being dropped on the target system.

Smoke Loader attempts to load all plugin DLLs present on the local disk:

Figure 2: Smoke Loader on a DLL running rampage

(Read more...)

*** This is a Security Bloggers Network syndicated blog from Cylance Blog authored by The Cylance Threat Research Team. Read the original post at: