S0226 Smoke Loader
Smoke Loader is a malicious bot application that can be used to load other malware. Smoke Loader has been seen in the wild since at least 2011 and has included a number of different payloads. It is notorious for its use of deception and self-protection. It also comes with several plug-ins. 1 2
| Item | Value |
|---|---|
| ID | S0226 |
| Associated Names | Dofoil |
| Type | MALWARE |
| Version | 1.2 |
| Created | 18 April 2018 |
| Last Modified | 28 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Dofoil | 1 2 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Smoke Loader uses HTTP for C2.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Smoke Loader adds a Registry Run key for persistence and adds a script in the Startup folder to deploy the payload.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.005 | Visual Basic | Smoke Loader adds a Visual Basic script in the Startup folder to deploy the payload.1 |
| enterprise | T1555 | Credentials from Password Stores | - |
| enterprise | T1555.003 | Credentials from Web Browsers | Smoke Loader searches for credentials stored from web browsers.3 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Smoke Loader deobfuscates its code.3 |
| enterprise | T1114 | Email Collection | - |
| enterprise | T1114.001 | Local Email Collection | Smoke Loader searches through Outlook files and directories (e.g., inbox, sent, templates, drafts, archives, etc.).3 |
| enterprise | T1083 | File and Directory Discovery | Smoke Loader recursively searches through directories for files.3 |
| enterprise | T1105 | Ingress Tool Transfer | Smoke Loader downloads a new version of itself once it has installed. It also downloads additional plugins.1 |
| enterprise | T1027 | Obfuscated Files or Information | Smoke Loader uses a simple one-byte XOR method to obfuscate values in the malware.13 |
| enterprise | T1055 | Process Injection | Smoke Loader injects into the Internet Explorer process.3 |
| enterprise | T1055.012 | Process Hollowing | Smoke Loader spawns a new copy of c:\windows\syswow64\explorer.exe and then replaces the executable code in memory with malware.12 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | Smoke Loader launches a scheduled task.3 |
| enterprise | T1552 | Unsecured Credentials | - |
| enterprise | T1552.001 | Credentials In Files | Smoke Loader searches for files named logins.json to parse for credentials.3 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.001 | System Checks | Smoke Loader scans processes to perform anti-VM checks. 3 |
References
-
Hasherezade. (2016, September 12). Smoke Loader – downloader with a smokescreen still alive. Retrieved March 20, 2018. ↩↩↩↩↩↩↩↩
-
Windows Defender Research. (2018, March 7). Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaign. Retrieved March 20, 2018. ↩↩↩
-
Baker, B., Unterbrink H. (2018, July 03). Smoking Guns - Smoke Loader learned new tricks. Retrieved July 5, 2018. ↩↩↩↩↩↩↩↩↩