Recently experts from Talos security spotted a malware campaign leveraging Smoke Loader to steal credentials from a broad range of applications.

Security experts have discovered a new malware campaign leveraging Smoke Loader to steal credentials from web browsers, email clients, and other popular applications.

The attack chain starts with messages using a weaponized Word document as an attachment, the hackers attempt to trick victims into opening it and enable the embedded macro.

Once executed, the macro downloads the TrickBot banking Trojan that in this campaign is used to fetch the Smoke Loader backdoor.

Smoke Loader is a tiny dropper used to install on the infected system other malware families, but in this specific campaign, the experts observed an inversion of roles, with TrickBot that downloads it.

“Smoke Loader has often dropped Trickbot as a payload. This sample flips the script, with our telemetry showing this Trickbot sample dropping Smoke Loader.” reads the analysis published by Talos.

“This is likely an example of malware-as-a-service, with botnet operators charging money to install third-party malware on infected computers,”

While malware frequently iterates through process lists to find a process to inject, this new backdoor variant calls the Windows API GetShellWindow instead, then calls GetWindowThreadProcessId to get the process ID of evfdxplorer.exe.

The malware also uses the PROPagate technique to inject code into Explorer, the same technique recently implemented by RIG Exploit Kit operators to deliver cryptocurrency miners.

The malware also implements several anti-analysis techniques, along with anti-debugging and anti-VM checks and the analysis of threads associated with the scanning for processes and windows belonging to analysis tools.

The Smoke Loader variant used in this campaign was receiving five plugins, each of them was executed in its own Explorer.exe process.

The plugins were designed to steal sensitive information from the infected machine and stored credentials and sensitive information managed by the web browser.

“In our Trickbot cases, the malware finally downloaded the Smoke Loader trojan, which installed five additional Smoke Loader plugins.” continues the analysis.

“Smoke Loader has often dropped Trickbot as a payload. This sample flips the script, with our telemetry showing this Trickbot sample dropping Smoke Loader. This is likely an example of malware-as-a-service, with botnet operators charging money to install third-party malware on infected computers”

The first plugin implements roughly 2,000 functions and it is able to target a broad range of applications, including Firefox, Internet Explorer, Chrome, Opera, QQ Browser, Outlook, and Thunderbird, to steal hostname and credentials. This plugin also attempts to steal information from the Windows Credential Manager, as well as POP3, SMTP, IMAP credentials.

The second plugin recursively searches through directories looking for files to parse and exfiltrate.

The third plugin injects into browsers to intercept credentials and cookies as they are transferred over HTTP and HTTPS, while the fourth hooks ws2_32!send and ws2_32!WSASend to attempt to steal credentials for ftp, smtp, pop3, and imap.

The fifth plugin injects code into TeamViewer.exe to steal credentials

“We have seen that the Trojan and botnet market is constantly undergoing changes. The players are continuously improving their quality and techniques. They modify these techniques on an ongoing basis to enhance their capabilities to bypass security tools.” concludes the analysis.

“This clearly shows how important it is to make sure all our systems are up to date,” Talos concludes.

Pierluigi Paganini

( Security Affairs – Huawei, encryption)

Share this...

Linkedin Reddit Pinterest

Share On