Smoke Loader

Smoke Loader is a small application used to download other malware. It is often distributed via spam campaigns and exploit kits. When Smoke Loader is installed, it replaces itself with a recent update from its C2 server to make detection more difficult. The trojan also evades detection by changing the timestamp of its executable to prevent the malware from being located by searching recently modified files. Access to the file is also blocked, preventing reading or writing operations. To make analysis more difficult, the trojan creates redundant traffic when communicating with its C2 server and sends requests to legitimate domains. Additionally, the traffic is partially encrypted.

Reporting

November 2017: Resume-themed malspam pushing Smoke Loader. (SANS ISC)
January 2018: Fake Spectre and Meltdown patch pushes Smoke Loader malware. (Malwarebytes)
March 2018: A backdoored Russian-based BitTorrent client, MediaGet, attempted to infect 400,000 mostly Russian and Turkish users in a 12-hour period with the Smoke Loader trojan. The trojan would then attempt to install a Monero cryptocurrency miner. (Microsoft)
July 2018: Smoke Loader is using the PROPagate injection technique in its campaigns. In recent campaigns, the initial infection vector was an email with a malicious Microsoft Word document attached. After the user opened the attachment and enabled macros, a malware-downloading chain initiated, leading to the Smoke Loader infection and its plugins. (Cisco Talos)

Technical Details

Malwarebytes provides in-depth technical analysis on Smoke Loader here.

Infection chain for November 2017 spam campaign to distribute Smoke Loader. Image Source: SANS ISC.

Trojan VariantsNJCCICJanuary 22, 2018smoke, loader, smokeloader