Smoke Loader

Smoke Loader is a small application used to download other malware. It is often distributed via spam campaigns and exploit kits. When Smoke Loader is installed, it replaces itself with a recent update from its C2 server to make detection more difficult. The trojan also evades detection by changing the timestamp of its executable to prevent the malware from being located by searching recently modified files. Access to the file is also blocked, preventing reading or writing operations. To make analysis more difficult, the trojan creates redundant traffic when communicating with its C2 server and sends requests to legitimate domains. Additionally, the traffic is partially encrypted.

Reporting

  • November 2017: Resume-themed malspam pushing Smoke Loader. (SANS ISC)
  • January 2018: Fake Spectre and Meltdown patch pushes Smoke Loader malware. (Malwarebytes)
  • March 2018: A backdoored Russian-based BitTorrent client, MediaGet, attempted to infect 400,000 mostly Russian and Turkish users in a 12-hour period with the Smoke Loader trojan. The trojan would then attempt to install a Monero cryptocurrency miner. (Microsoft)

Technical Details

  • Malwarebytes provides in-depth technical analysis on Smoke Loader here.