Smoke Loader Adds Additional Obfuscation Methods to Mitigate Analysis

 Sample Analyzed:415a75cd01a4b00385c974b59bbbd3e5211a985bf2560d7639d464fd5a56e9e6 Smoke Loader, also known as Dofoil, has been advertised on dark web forums since at least mid 2011. Since initial release, this modular loader has continued to evolve with the addition of more complex anti-analysis techniques. Modular loaders such as this work by communicating with the command and control infrastructures to receive secondary execution instructions and/or to download additional functional modules, providing multiple stages of infection. Currently, Smoke Loader’s primary delivery method is via exploit kits, primarily Rig EK. Smoke Loader is commonly used to load the Trickbot banking Trojan and Globe Imposter ransomware.
Read more