Smoke Loader

The main function of Smoke Loader is dropping other, more destructive malware on infected machines. However, unlike many competing loaders, this one can be extended via plugins to feature destructive, malicious info-stealing functions.

Type
Loader
Origin
ex-USSR territory
First seen
30 August, 2011
Last seen
5 October, 2022
Also known as
Dofoil
Global rank
26
Week rank
5
Month rank
6
IOCs
50883

What is Smoke Loader?

Smoke Loader, sometimes also called Dofoil, is a modular malware mainly utilized to download other viruses to infected machines. Despite its loader nature, the Smoke Loader bot can be equipped with a variety of malicious functions. Most of these functions are targeted at stealing sensitive data from the victims.

Smoke Loader was first observed in the wild in 2011. It was seen being sold on underground portals grabberz[.]com and xaker[.]name by a member named SmokeLdr. The malware functionality varies from one attack to the other and depends on the choice of modules done by the attackers.

Despite its old age, Smoke Loader continues to be an active threat even to this day. In particular, this malware was featured in RigEK and MalSpam campaigns. It should be noted that after March 2014, Smoke Loader is sold only to Russian-speaking attackers.

General description of Smoke Loader

The main functions of Smoke Loader include loading up to ten executable files and run them, geo-target the victims to direct attacks at specific countries, load files via URLs, mimic legitimate processes, and provide detailed summaries on installs and launches.

The two optional modules allow Smoke Loader to expand its feature set with information-stealing functions. This allows Dofoil to grab passwords from widely used mail clients, FTP clients, and programs like TeamViewer. The malware can send the data to the C2 for the attacker.

The Smoke Loader virus has been evolving over the years. According to the research of a cybersecurity professional, a late 2018 sample included an array of anti-debugging techniques far more complex than anything present in the early iterations of the malware. For instance, the 2018 Smoke Loader version learned to check if it is being launched in the virtual environment. It also learned to discover and immediately kill any analyzing tools running on the machine. Together, these features make the analysis of the Dofoil malware highly complicated. Dofoil also relies a lot on the process hollowing technique, targeting mostly Explorer.exe.

What’s more, while a lot of malware in the wild need to iterate through a list of processes to find their injection target, thus allowing researchers to discover them, Smoke Loader manages to avoid this behavior and stay hidden by calling the Windows API GetShellWindow to access the shell’s desktop window, and evoke GetWindowThreadProcessId to obtain the process ID of Explorer.exe.

To further confuse security researchers, all Smoke Loader functions contain pointless instructions. At the same time, the library names are encrypted with a hardcoded key. Instructions are not coded in a standard way. Instead, they are mixed with jump instructions. Most of this code reroutes the program flow to create confusion when Dofoil is debugged.

Malware analysis of Smoke Loader

A video recorded in the ANY.RUN malware hunting service displays the execution process of Smoke Loader. It allows examining the malware in a convenient and safe environment.

smokeloader execution process graph

Figure 1: Displays the graph of processes generated by the ANY.RUN malware analyzing service

text report of the smokeloader malware analysis

Figure 2: Even more information about the execution of malware can be found in customizable text reports generated by ANY.RUN

Smoke Loader execution process

So, how does Smoke Loader work? Because the most common vector of attack to infect users' devices are malicious spam campaigns, Smoke Loader trojan mostly gets into devices with Microsoft Office files. Once the user downloads and opens the malicious file, the malware drops to a machine from it.

After that, SmokeLoader injects malicious code into system processes like explorer.exe. An injected process then starts the main malicious activity.

Distribution of Smoke Loader

The smoke Loader virus makes its way to machines as a malicious Microsoft Word attachment. It is initially delivered to users in spam email campaigns. Attackers use social engineering to trick potential victims into downloading the attached file and enabling the macros, the same scenario is applied by Ave Maria and Revenge.

This makes contamination prevention fairly simple. Users are advised to stay clear of downloading files from suspicious emails and keep macros disabled. And especially, never enable them if prompted by a downloaded file.

How Smoke Loader communicates with C&C?

Smoke Loader malware tries to hide its malicious nature. This is done by mixing infrequent requests to legitimate websites into C&C communication. The virus connects to websites such as Microsoft.com and Adobe.com. Despite receiving mainly HTTP 404 in requests, data is still evident in the response body.

How to detect Smoke Loader using ANY.RUN?

Since SmokeLoader almost always infects systems using similar attack vectors, it can be identified using its execution process. After the executable file, which contains Smoke Loader, has been delivered in the system and launched, it injects its code into the system process like "explorer.exe."

This means that if, after some time following the execution of a sample, an "explorer.exe" process appears, it is time to look into it. To do so, click on the process in the "Process list" section, and in the appeared "Process details" window click the "More info" button. If in the event section you see that previously injected "explorer.exe" create a file named "tesrdgeh.exe," it is a clear indication that you are dealing with Smoke Loader trojan.

SmokeLoader created a file Figure 3: Injected explorer.exe created file tesrdgeh.exe

Summary

Despite being rather old, the Dofoil virus is only gaining popularity. Since its first surfacing in 2011, the malware remains a highly active and elusive threat, not due to its advanced anti-evasion functions. In addition to being used as a loader and installing potentially more dangerous malware.

What’s more, Smoke Loader itself can be used to pull sensitive information from infected machines and conduct destructive, malicious campaigns.

Thankfully, advanced malware hunting services such as ANY.RUN allows us to bypass some of the anti-evasion tricks implemented by the Smoke Loader creators and successfully conduct the analysis of this virus.

IOCs

IP addresses
178.20.42.96
184.86.251.216
184.86.251.221
185.237.206.60
95.161.129.123
184.168.221.45
37.0.14.212
185.198.56.2
34.95.41.6
190.147.189.122
162.255.119.50
193.151.89.76
192.64.119.111
172.67.183.189
185.180.196.9
104.18.34.26
87.120.254.71
23.47.208.117
184.50.116.133
124.109.61.160
Hashes
394a7b1776167c159d8372ab8af7f4a90f0fe3674fe5061bb982032e5da8b141
3e9617b37cbc9788baddfb76277c4bb027409c9b3cc128f03274060c5203a9f1
a9c49e26fdf35630e97459d3c90b5c75178bbad195ccafeac734b1050c3c7843
756e14757e24c2858b750b4e0478ac85d5175a13707357c75553236a6a8a2bd4
bdea63bb5b5fbc9c824d5f5191d9e6de4f4bfa9b1a345ac1ea0603369bcf034d
baac6a799aead3dcc989448f363818ef27623fb766412c5ee62c85cd053d7f21
0f09e69f206b4d6b35d09b6f5ee8d20297ee647691ad4449710d6f55b8b1f37f
c664ccad43243a25de22e85485560fa084bf40e785d86b8391ce4107d47cd99f
f5bd57ff4e799840867170d05b6f9b1294bf77d971e663ab88a98b9222c4217a
0be77f05a9c4d30f2ec4f5636179f0e2f85e3f5441f5854a0872de4f63aceffd
f855a9c82cd4ed9daed1a6cc0cdb66d4dd41abdfc546e1775d20a8db2d3ca4f1
68e71e6aac9230343ede8888453040a8b1b6c5170e65f271d4434aa82b65d2c0
6c3457c852b3abb0022bab1bbaf1d74f2b72f24a3d5c78bfa00be9238b44b355
2d8096d7e984c803c028b970ddf817302f61ffbfee8ac766bc7523aa38891b41
3bcb69d19dc5b5cee07396497adb09b156b92917802df4cd97619dd899ee812d
1decd592bbac1bc068ba05c8d899dad2af55cb07558149a045a86479b9f6eed5
2b396ae1fa95ef655bb7b0eb45532a857d882bb601adeb8fb1b5d43dcff9ec31
baa50586b6fd534a63f62e0da9c49f25a64303f38f38c923ead41a23e807650c
97a0d8e03dcd175f9b525a705893b97b0e81280946bba44dbcfcc1976919baef
7f15dad4fbff4e936f712f2b99436ccd24ebd09e44c5910cdfec4291ac7623bc
Domains
paymenthacks.com
statcounter.biz
www.nexuslogger.com
piratia-life.ru
piratia.su
cracker.biz
www.dominatereporter.bar
dailynews.direct
gayworld.at
winnlinne.com
derioswinf.org
azd.at
derweekge.com
timetogof.at
acacaca.org
abababa.org
rgyui.top
esmic.at
zfko.org
eibenberg.at

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More