IntroductionSmoke (a.k.a. SmokeLoader or Dofoil) is a malware loader that has been operational since 2011. Smoke is primarily used to deliver second-stage malware payloads including various trojans, ransomware, and information stealers. In addition, Smoke can deploy its own custom plugins that extend its functionality including mining cryptocurrency, harvesting credentials, and hijacking web browser data. Smoke is sold as a crimeware kit that enables a threat actor to easily set up and launch attacks. There are numerous versions of the kit that have had the server-side panel code leaked alongside cracked builders. This has led to a significant increase in the number of threat groups that leverage Smoke for malware distribution. Recently, Zscaler ThreatLabz has observed multiple malware families delivered through Smoke including Raspberry Robin, Stealc, and Stop ransomware.In May 2024, Zscaler ThreatLabz’s technical analysis of Smoke malware supported an international law enforcement operation known as Endgame. This is the first major joint operation between law enforcement and private industry in Smoke’s existence.In this blog, we analyze Smoke persistence mechanisms and communications, and examine how Operation Endgame dismantled its infrastructure and remotely cleaned up Smoke infections.Key TakeawaysIn May 2024, Zscaler ThreatLabz’s technical analysis of Smoke assisted an international law enforcement operation known as Endgame to take over Smoke’s infrastructure and remotely uninstall the malware (when possible).Smoke is a malware downloader that originated in 2011 that is designed to deliver second stage malware payloads that include information stealers and ransomware.Smoke can deploy additional plugins that can be used to extend the malware’s functionality.Smoke has undergone extensive evolution over the years with numerous techniques to obfuscate its code and impede automated analysis.Despite being more than a decade old, Smoke typically receives updates every one to two years.Technical AnalysisNumerous versions of Smoke have been released over the last decade. Our analysis will cover the last five versions of Smoke: 2017, 2018, 2019, 2020, and 2022. These version numbers roughly correspond to the year when the update was first observed. While Smoke uses a multi-stage loading process, our technical analysis will focus only on the main component of Smoke that performs the malicious functionality. There are three important parts that we will specifically analyze, which are relevant to Operation Endgame: installation, communication, and the uninstall command. InstallationThe installation process has slightly varied between Smoke versions. However, there are some commonalities that are shared across all versions. For example, Smoke generates a unique bot identifier that uses the same algorithm for all versions. Python code that replicates the bot ID generation algorithm is shown below:import hashlib
bot_id = hashlib.md5(computername + hardcoded_constant + volume_serial).hexdigest().upper() + volume_serial.decode().upper()This bot ID value is used for a variety of purposes including the malware’s mutex name, executable filename, plugins’ filename, scheduled task name, etc. For example, Smoke version 2020 and 2022 use the code replicated below in Python to create the executable filename:offset = 30
filename_len = 7
filename = ""
for i in range(filename_len):
filename += chr(ord(bot_id[i+offset]) - ord('0') + ord('a'))
print("executable filename:", filename)All versions of Smoke try to hide the executable file and plugins by setting the file attributes to SYSTEM and HIDDEN.Table 1 below shows how the Smoke installation process has changed over time. Smoke 2017Smoke 2018Smoke 2019Smoke 2020Smoke 2022Default installation location%APPDATA%\Microsoft\Windows%APPDATA%\Microsoft\Windows%APPDATA%%APPDATA%%APPDATA%Creates an installation directoryYesYesNoNoNoExecutable filename length88777Scheduled task nameN/AOpera scheduled Autoupdate %uNvNgxUpdateCheckDaily_{%08X-%04X-%04X-%04X-%08X%04X}Firefox Default Browser Agent %hsFirefox Default Browser Agent %hsOther persistence mechanismsRegistry value / LNK shortcut in startup folderLNK shortcut in startup folderN/AN/AN/ATable 1: Comparison of Smoke installation techniques between versions.Smoke versions 2017 and 2018 also create a directory to store the executable and plugins.Network communicationAll versions of Smoke since 2017 have a very similar network communication and packet structure. Network communications utilize HTTP POST requests to one or more hardcoded command-and-control (C2) servers. The HTTP POST body includes a packet structure that is encrypted using a hardcoded RC4 key.The check in request (command 10001) contains the following information for Smoke versions 2020 and 2022 as shown in Figure 1: Figure 1: Smoke C2 request format (prior to encryption)Versions 2017, 2018, and 2019 contain the same request format except the computer name field (highlighted in blue) is not present. The first four bytes of the response are the size of the packet. The remaining response data is encrypted with a separate hardcoded RC4 key. The first two-byte value (when decrypted) is the Smoke version number (in little endian). The following bytes are then used to determine whether there are tasks or commands to execute. If the byte following the version number is 0x69, 0x72, or 0x75, Smoke interprets the value as one of the following commands:ByteCommandDescription0x69iPersonal task0x72rUninstall0x75uUpdateTable 2: Commands implemented by SmokeOtherwise, the value is interpreted as the number of tasks to execute. The next section will provide insight into the operation of the uninstall command.Remote cleanupSmoke’s uninstall command performs the following actions: Terminates each Smoke plugin’s process Closes Smoke’s open handles Deletes the Smoke executable, plugins file, and scheduled task Erases and frees memory Terminates SmokeIn older versions of Smoke, including 2017 and 2018, there are artifacts left on the disk. In particular, the installation directory created by Smoke is not deleted, while Smoke version 2017 does not delete the registry value that was created for persistence. For newer versions, Windows specific forensic artifacts such as Amcache entries can be used to determine that a system was infected by Smoke. Furthermore, it is still possible to identify a system that was infected and cleaned up (via memory forensics), following the completion of the uninstall command. Note that the uninstall command does not free or unmap the section of memory allocated in explorer.exe that contains Smoke’s code. ConclusionOperation Endgame was the first major international law enforcement disruption of Smoke in over a decade. This will have an impact on the overall threat ecosystem, but will likely not be the end of Smoke. Zscaler will continue to work with industry partners, regional CERTs, and law enforcement agencies around the globe to protect our customers and ensure a more secure internet.Zscaler CoverageZscaler’s multilayered cloud security platform detects indicators related to Smoke at various levels with the following threat names:Win32.Backdoor.SmokeloaderIndicators Of Compromise (IOCs)IndicatorsDescriptionakmedia[.]inSmoke C2 domainbethesdaserukam[.]orgSmoke C2 domaingalandskiyher5[.]comSmoke C2 domaingxutc2c[.]comSmoke C2 domainhost-file-host6[.]comSmoke C2 domainhost-host-file8[.]comSmoke C2 domainhumman[.]artSmoke C2 domainkkudndkwatnfevcaqeefytqnh[.]topSmoke C2 domainnidoe[.]orgSmoke C2 domainnuljjjnuli[.]orgSmoke C2 domainservermlogs27[.]xyzSmoke C2 domaintrad-einmyus[.]comSmoke C2 domaintrybobry[.]com[.]uaSmoke C2 domainuohhunkmnfhbimtagizqgwpmv[.]toSmoke C2 domainvacantion18ffeu[.]ccSmoke C2 domainwhxzqkbbtzvdyxdeseoiyujzs[.]coSmoke C2 domain
↧