SmokeLoader

Smoke Loader, sometimes also called Dofoil, is a modular malware which is mainly utilized to download other viruses to infected machines. Despite its loader nature, Smoke Loader bot can be equipped with a variety of malicious functions. Most of these functions are targeted at stealing sensitive data from the victims.

  • Type
    Loader
  • Origin
    ex-USSR territory
  • First seen
    30 August, 2011
  • Last seen
    21 November, 2019
Also known as
Dofoil
Global rank
18
Week rank
21
Month rank
20
IOCs
2202

What is Smoke Loader?

Smoke Loader, sometimes also called Dofoil, is a modular malware which is mainly utilized to download other viruses to infected machines. Despite its loader nature, Smoke Loader bot can be equipped with a variety of malicious functions. Most of these functions are targeted at stealing sensitive data from the victims.

Smoke Loader was first observed in the wild in 2011. It was seen being sold on underground portals grabberz.com and xaker.name by a member named SmokeLdr. The functionality of the malware varies from one attack to the other and depends on the choice of modules done by the attackers.

Despite its old age, Smoke Loader continues to be an active threat even to this day. In particular, this malware was featured in RigEK and MalSpam campaigns. It should be noted, that after March 2014, Smoke Loader is sold only to Russian speaking attackers.

General description of Smoke Loader

The main functions of Smoke Loader include to load up to ten executable files and run them, geo-target the victim’s to direct attacks at specific countries, load files via URLs, mimic legitimate processes, and provide detailed summaries on installs and launches.

The two optional modules allow Smoke Loader to expand its feature set with information-stealing functions. This allows Dofoil to grab passwords from widely used mail clients, FTP clients and programs like TeamViewer. The malware can send the data to the C2 for the attacker.

Smoke Loader virus has been evolving over the years. According to the research a cybersecurity professional, a late 2018 sample included an array of anti-debugging techniques far more complex than anything present in the early iterations of the malware. For instance, the 2018 Smoke Loader version learned to check if it is being launched in the virtual environment. It also learned to discover and immediately kill any analyzing tools running on the machine. Together, these features make the analysis of the Dofoil malware highly complicated. Dofoil also relies a lot on the process hollowing technique, targeting mostly Explorer.exe.

What’s more, while a lot of malware in the wild need to iterate through a list of processes to find their injection target, thus allowing researchers to discover them, Smoke Loader manages to avoid this behavior and stay hidden by calling the Windows API GetShellWindow to access the shell’s desktop window, and evoke GetWindowThreadProcessId to obtain the process ID of Explorer.exe.

To further confuse security researchers, all Smoke Loader functions contain a pointless instruction. At the same time, the library names are encrypted with a hardcoded key. Instructions are not coded in a standard way, instead, they are mixed with jump instructions. Most of this code reroutes the program flow to create confusion when Dofoil is debugged.

Malware analysis of Smoke Loader

A video recorded in the ANY.RUN malware hunting service displays the execution process of Smoke Loader. It allows to examine the malware in a convenient and safe environment.

smokeloader execution process graph

Figure 1: Displays the graph of processes generated by the ANY.RUN malware analyzing service

text report of the smokeloader malware analysis

Figure 2: Even more information about the execution of malware can be found in customizable text reports generated by ANY.RUN

Smoke Loader execution process

So, how does Smoke Loader work? Because the most common vector of attack to infect users' devices are malicious spam campaigns, Smoke Loader mostly gets into devices with Microsoft Office files. Once the user downloads and opens the malicious file, the malware drops to a machine from it.

After that, Smoke Loader injects malicious code into system processes like explorer.exe. An injected process then starts the main malicious activity.

Distribution of Smoke Loader

The smoke Loader virus makes its way to machines as a malicious Microsoft Word attachment. It is initially delivered to users in spam email campaigns. Attackers use social engineering to trick potential victims into downloading the attached file and enabling the macros.

This makes contamination prevention fairly simple. Users are advised to stay clear of downloading files from suspicious emails and keep macros disabled. And especially, never enable them if prompted by a downloaded file.

How Smoke Loader communicates with C&C

Smoke Loader malware tries to hide its malicious nature. This is done by mixing-in frequent requests to legitimate websites into C&C communication. The virus connects to websites such as Microsoft.com and Adobe.com. Despite receiving mainly HTTP 404 in requests, data is still evident in the response body.

How to detect Smoke Loader using ANY.RUN?

Since Smoke Loader almost always infects systems using similar attack vectors, it can be identified using its execution process. After the executable file which contains Smoke Loader has been delivered in the system and launched, it injects its code into system process like "explorer.exe".

This means that if after some time following the execution of a sample, an "explorer.exe" process appears, it is time to take a look into it. To do so, click on the process in the "Process list" section and in the appeared "Process details" window click the "More info" button. If in the event section you see that previously injected "explorer.exe" create a file named "tesrdgeh.exe", it is a clear indication that you are dealing with Smoke Loader.

SmokeLoader created a file Figure 3: Injected explorer.exe created file tesrdgeh.exe

Summary

Despite being a rather old, Dofoil virus is only gaining popularity. Since its first surfacing in 2011, the malware remains to be a highly active and elusive threat, not lastly due to its advanced anti-evasion functions. In addition to being used as a loader and installing potentially more dangerous malware.

What’s more, Smoke Loader itself can be used to pull sensitive information from infected machines and conduct destructive malicious campaigns.

Thankfully, advanced malware hunting services such as ANY.RUN allow to bypass some of the anti-evasion tricks implemented by the Smoke Loader creators and successfully conduct the analysis of this virus.

IOCs

IP addresses
2.21.38.54
195.22.26.248
184.168.221.40
88.191.250.2
185.222.202.235
192.64.119.112
198.54.117.197
43.225.55.107
162.255.119.193
50.63.202.43
104.100.93.9
23.45.111.85
63.239.233.84
194.15.36.70
8.209.74.136
192.64.119.254
47.254.237.6
47.254.237.6
209.99.40.222
162.255.119.6
Hashes

No hashes found

Domains
owenewturk.ru
www.fatlinesites.com
e13678.dscg.akamaiedge.net
cssrvsync.com
www.halong.asia
www.integrationninja.com
www.votejackhoward.info
lenaedesign.com
majul.com
t7758057.vps18tiny.u.avcdn.net
static.sharepointonline.com
app-perspectives-api.bcg.com
isns.net
msedge.f.tlu.dl.delivery.mp.microsoft.com
elx01.knas.systems
update.videolan.org
blogserv279.club
dsmail94x.xyz
blogserv27.com
macappstore.blognet.ninja

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a remote access trojan available as MaaS ( Malware-As-A-Service ). Adwind can collect user and system data, control the webcam of the infected machine, capture screenshots, install and run other malicious programs, log keystrokes, steal web browser passwords and more.
Read More
AgentTesla screenshot
AgentTesla
agenttesla trojan rat stealer
Agent Tesla is a password stealer spyware that has been around since 2014. The malware can be used by attackers to spy on victims, allowing them to see everything that has been typed in supported programs and web-browsers.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult is an information stealer malware that is targeted at stealing credentials and accounts. Updated multiple times over the years, AZORult continues to be an active concern for the users, stealing information such as banking passwords, credit card details, browser histories, and even cryptocurrency.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is a banking trojan that was spotted in the wild in 2018. Danabot differs from competing Trojans thanks to its robust delivery system and modular design. Since its first appearance, Danabot has obtained high popularity among cybercriminals and became an active threat in multiple regions of the world.
Read More
Dridex screenshot
Dridex
dridex trojan banker
Dridex is one of the most technologically advanced banking trojans currently active. The primary target of this malware is stealing banking credentials from its victims. Dridex has been around since 2014 and has benefited from very consistent updates that helped the malware evolve and become more and more capable.
Read More
Emotet screenshot
Emotet
emotet trojan loader banker
Emotet is an extremely sophisticated and destructive banking Trojan used to download and install other malware. First recorded in 2014, Emotet has gained advanced capabilities over the course of its lifetime. Today Emotet is targeting governments, corporations, small businesses and individuals, focusing on Europe, America, and Canada.
Read More