Threat Spotlight: Resurgent Smoke Loader Malware Dissected

Smoke Loader (Dofoil) malware, first identified in 2011, recently returned to the headlines. This threat, which often serves as a platform to download additional malware, was updated with new process injection methods disclosed in 2017. In March of 2018 the malware was changed to circumvent new countermeasures deployed by Microsoft. This indicates that the patrons of Smoke Loader are dedicated to investing time and resources into keeping the threat viable.

The Cylance Threat Research team recently dissected a resurgent form of Smoke Loader. Our investigation uncovered two other samples of malware working with Smoke Loader: a document packed with malicious macros, and Trickbot, a banking Trojan.

The following is a technical overview detailing what our research uncovered.

The first step of the attack relies on a user opening and activating a document loaded with malicious macros. Once successful, the attack enters phase two, where Smoke Loader downloads and executes. Smoke Loader then downloads and executes the Trickbot banking Trojan.


Figure 1: Smoke Loader attack progression

  SHA256

  cc38d9dcd4567e5c33e7a203cbec1ecac34e7330a8f4d8931a51be1518ffeb4d

  Type

  Doc file

  Size

  132 KB

  Timestamp

 

  ITW names

  IO08784424.DOC

 

  SHA256

  0be63a01e2510d161ba9d11e327a55e82dcb5ea07ca1488096dac3e9d4733d41

  Type

  PEEXE

  Size

  309 KB

  Timestamp

  9/27/2014 4:07:56 PM

  ITW names

  N/A

 

  SHA256

  b65806521aa662bff2c655c8a7a3b6c8e598d709e35f3390df880a70c3fded40

  Type

  PEEXE

  Size

  238 KB

  Timestamp

  3/6/2016 4:02:57 AM

  ITW names

  N/A

The attack begins with an attachment posing as an invoice from a legitimate private company. When the file is opened, the reader is presented with an embedded image resembling an invoice and a warning alert:


Figure 2: Malicious document prompts user to enable macros, allowing it to begin operations

In fact, both the invoice and the warning are objects in the same (Read more...)

*** This is a Security Bloggers Network syndicated blog from Cylance Blog authored by The Cylance Threat Research Team. Read the original post at: https://threatvector.cylance.com/en_us/home/threat-spotlight-resurgent-smoke-loader-malware-dissected.html