SmokeLoader Backdoor — SmokeLoader Malware Description

SmokeLoader Backdoor — SmokeLoader Malware Description
SmokeLoader, Backdoor, Trojan/Win32:SmokeLoader
Written by Brendan Smith

SmokeLoader backdoor is a malicious application that aims at giving the attacker remote access to your PC. The general purpose of such access in the case of this backdoor is to download different other malware. Despite being very old, it is still a tough nut, and remains active and popular in attacks of different profiles. Let’s check out why SmokeLoader is so potent despite its venerable age.

What is backdoor malware?

Before getting into SmokeLoader analysis, let’s have a look at what backdoors are. This malware type has a long and curved story, and these days is an eminence grise. The key target of backdoor malware is to create a way for cybercriminals to remotely connect to the target PC and perform any possible actions. For that purpose, they never disdain to use vulnerabilities in the targeted system, along with injecting into the system as a trojan.

The main use for backdoor-infected computers is their participation in the botnet. Huge networks of zombie systems that perform DDoS attacks, send spam emails and do other nefarious activities are well known over the last decade. For that purpose scoundrels use automated backdoors – the ones which require minimum commands from the command and control server and may run on their own. The other application of a backdoor – exactly, the manually-controlled one – is data stealing and malware implementation. As in the latter case backdoor acts as a locomotive for malicious payload, it is sometimes classified as a worm.

SmokeLoader malware description

SmokeLoader backdoor first appeared in 2014 – at the very beginning of the ransomware era. Only a few other malware can boast of remaining active through 8 years after their launch. This backdoor has a lot of features that allow it to remain actual despite being so old. First and foremost, it is extremely small – the payload is only about 30 kilobytes. Regular malware of that type usually has a file size of at least 100 KB, usually around 150-200 kilobytes. That already makes it way easier to handle in a protected system, as some YARA rules used for malware detection pay attention to the file size.

Smokeloader offer forums

Offer to purchase SmokeLoader on the Darknet forum

Another feature, that distinguishes it among others, is that it is written in C and Assembly languages. Both of them are low-level, which points to their ability to dig very deep into the system. The exact code of this backdoor is heavily obfuscated. It was an effective measure against anti-malware programs, but these days any kind of obfuscation detected is considered hazardous. These days, it just makes reverse engineering this malware much more difficult.

Key features of this backdoor are wrapped around its loader functions, as you may have supposed from its name. The vast majority of time, SmokeLoader is used to deliver other malware to the infected system. Still, it is not the sole purpose of this malware – continuous development brought the ability to use it as a stealing tool. It also suits botnet deployment – but there are only a few cases of such usage. It still receives updates each year, so its functionality may extend in future.

SmokeLoader tech analysis

The initial package of SmokeLoader malware contains only basic functionality – providing the remote connection to the infected PC. Data grabbing, process monitoring, DDoS module and so forth should be installed afterwards. Overall, reverse engineering shows that there are 9 different modules that SmokeLoader can handle simultaneously.

Module nameFunctionality
Form grabberWatches for forms in the open windows in order to grab the credentials
Password snifferMonitors the incoming and outgoing Internet packages to sniff the credentials
Fake DNSModule for counterfeiting the DNS request. Leads to traffic redirection to the site you need
KeyloggerLogs all keystrokes in the infected environment
ProcmonProcess monitoring module, logs the processes running in the system
File searchFile searching tool
Email grabberGrabs the Microsoft Outlook address book
Remote PCAbility to establish a remote control similar to remote-access utilities (like TeamViewer)
DDoSForcing the infected PC to take part in DDoS-attacks on the designated server

Payload of this malware always comes packed in a unique way. A single sample is used by a small group of its users, hence meeting the same samples in the real world is not that easy. Still, that technology is not something new – most malware does the same thing, and some even generate a uniquely-packed sample for each attack. Moreover, over the initial packing, there is a requirement from its distributors to make an additional compression or encryption before injection. That is, exactly, the other chain of anti-detection measures.

Target system receives the fully-packed SmokeLoader sample – it is what is on the disk. All following stages are executed in the system memory, hence the scans with legacy anti-malware software will only detect a deeply-packed sample. The first stage of SmokeLoader execution includes an important obligatory checkup – the location of the attacked system. This malware cannot be run in the Commonwealth of Independent States, regardless of the settings you did before the injection. Other checkups include scanning for virtual machines and sandbox detection. If all things are passed, the malware gets completely unpacked and launches in its usual manner.

While running, SmokeLoader applies a pretty unique technique of obfuscation. It holds almost 80% of its code encrypted over the entire period of execution. Once it needs to use another function, it deciphers it while ciphering the element it used previously. YARA rules, along with classic reverse engineering, are rendered to be almost useless against such a trick. It has 32-bit and 64-bit payloads that are loaded in the systems with corresponding architectures during the checkup from initial stage to final execution.

Encryption and obfuscation SmokeLoader

Code encryption in SmokeLoader

The exact file which is kept in the memory while executing the SmokeLoader is not a valid executable file, as it lacks the PE header. In fact, the backdoor’s code is represented as a shell code – and thus should find a way to get executed manually. Generally, the routine commands executed by SmokeLoader, such as calls to C&C or downloads are made through the DLL injections. Obviously, that is required to retain stealthiness. Most often this step includes DLL injection or console calls that are made from the name of another program. Hackers who manage the SmokeLoader may either send the .exe file of malware they wish to install and just specify the URL where the backdoor can get this file.

Smokeloader header analysis

The header of SmokeLoader .exe file is absent – it is not a valid executable file

SmokeLoader IoC

Distribution of SmokeLoader malware

SmokeLoader’s key spreading ways rely upon email spam, pirated software and keygens. The former is prevalent, as it is much easier and still pretty effective. In that case, malware hides inside the attachment – usually an MS Word or MS Excel file. That file contains macros, and if you allow macros execution as requested, it will connect to a command server and receive the payload (actually, only a SmokeBot). However, analysts say that SmokeLoader appears more often through the malicious link attached to such a message. The site by that link may contain an exploit, in particular a cross-site scripting technique.

Email spam

Email spam example. The file contains malicious macro

Hiding malware inside of cracked applications or keygens/hacktools is slightly harder but has way wider potential. As unlicensed software usage is still widespread, a lot of people may be endangered. Not each cracked app contains malware – but all of them are illegal, for both users and creators. Using it, you may end up facing lawsuits for copyright violations. And being infected with malware in that case is even more unpleasant.

When it comes to malware infection, SmokeLoader appearance usually leads to the installation of various other malicious apps. Crooks who managed to create a botnet then offer other malware distributors to infect those computers with whatever they want. That can be adware, browser hijackers, spyware, ransomware – there are literally no restrictions. Behind a huge pile of viruses, cybersecurity experts often miss the origin of all this mess – thus SmokeLoader remains undetected.

Smokeloader malware delivery offers

SmokeLoader is offered as a malware delivery tool on forums

A separate spreading case, where SmokeLoader acts not as a precursor, is its combination with STOP/Djvu ransomware. Exactly, the bundle of malware delivered to the device includes RedLine and Vidar stealers. The former aims at banking credentials, the former – cryptowallets info. This or another way, Djvu generates a significant share in SmokeLoader prevalence, since it is one of the most widespread ransomware in its class.

Djvu ransomware description

STOP/Djvu ransomware is a long-time leader of ransomware that attacks individual users. It adopted the tactic which allowed it to cover as many users as possible – and it brought that ransomware to the first place, taking around 75% of an entire number of submissions. Throughout the second half of 2022, however, its activity shed, so its developers began to compensate for that drop with the efficiency of their payload. SmokeLoader, together with two stealers – Vidar and RedLine – fulfill the role of additional income sources. They grab the credentials of infected users, so the crooks can sell that data in the Darknet marketplaces.

Files encrypted by STOP/Djvu ransomware (BOWD variant)

Protect yourself from backdoor malware

Backdoors are extremely cunning and stealthy, so even the most meticulous users will not find them on their own. And that is the least to say – you could see that backdoors can easily evade basic anti-malware tools. That’s why the key point here is staying away from typical ways of backdoor spreading. Giving it no chance at all is much better than searching for ways to make it less effective once it is inside your system.

Email spam, as the most popular, is the first point of interest. Fortunately, you can easily recognise it – spam always has signs which differ from the original mailing. Some common spam letters usually have typos, poor grammar, extremely strange topics and disgusting design. More sophisticated spam messages may be very convincing, but there are always signs of counterfeiting. For instance, crooks will never be able to use the corporate e-mail address, so they try to use a similar one instead, or even a random mailbox. Additionally, links in the message will likely lead to external resources – ones that are barely related to the company used as a disguise.

Cracked software, keygens, and similar outlaw stuff is the other kind of things you should avoid. Using them is outlawed in the vast majority of cases, and the possibility of malware introduction makes things even worse. Authors of such stuff usually seek ways to monetise their job – and only the same outlaw things come into view. Thus, don’t have a choice other than add malware to the program they crack. And in the case of a backdoor, you may not notice its presence even long after its appearance on your device. Free cheese is only in the mouse trap – remember that easy rule.

Use a decent anti-malware software. Least pleasant thing is to face an enemy being naught on weapons. Proactive measures may be good and effective, but sometimes malware comes from an unexpected side. For that case, you should use anti-malware protection – an advanced program that will be capable of detecting the most recent and most complicated threats. GridinSoft Anti-Malware will be the best for that purpose – as a complex app that features a detection mechanism of 3 independent parts. Its low resource consumption and small size makes it ideal for PC protection.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Brendan Smith

Journalist, researcher, web content developer, grant proposal editor. Efficient and proficient on multiple platforms and in diverse media. Computer technology and security are my specialties.

Leave a Reply


This site uses Akismet to reduce spam. Learn how your comment data is processed.