Smoke Loader malware's brand new version has some new tricks including PROPagate injection capability

• Smoke Loader is used by hackers to drop additional malware like ransomware and cryptocurrency miners.
• The malware downloader has previously been used to attack a Ukrainian firm.

Security researchers have uncovered a new version of the Smoke Loader, which functions as a malware downloader, allowing attackers to drop and execute other malware samples. The downloader has already been previously used by hackers to deploy their various malicious ware.

According to security researchers at Cisco Talos, who discovered the new variant of the Smoke Loader, the downloader was used in an attack against a Ukrainian accounting software developing firm called Crystal Finance Millennium (CFM). The attack occurred in 2017, indicating that Smoke Loader was a popularly used tool among hackers last year.

The smoking gun

“Smoke Loader is primarily used as a downloader to drop and execute additional malware like ransomware or cryptocurrency miners,” Cisco Talos researchers wrote in a blog. “Actors using Smoke Loader botnets have posted on malware forums attempting to sell third-party payload installs. This sample of Smoke Loader did not transfer any additional executables, suggesting that it may not be as popular as it once was, or it’s only being used for private purposes.”

The plugins in Smoke Loader’s new variant have all been designed to steal information. The plugins have also been customized to specifically target information such as stored credentials, including email logins, Windows credentials, as well as sensitive information transmitted over a browser.

Modus operandi

Cisco Talos researchers noted the infection chain began with a phishing email with an embedded malicious Microsoft Word document. In the most recent attack, the malicious Word doc had an embedded macro which downloaded the Trickbot malware.

However, the infection chain did not stop here. Trickbot in turn downloaded Smoke Loader, which dropped additional plugins.

“Smoke Loader has often dropped Trickbot as a payload. This sample flips the script, with our telemetry showing this Trickbot sample dropping Smoke Loader,” Cisco Talos researchers noted. “This is likely an example of malware-as-a-service, with botnet operators charging money to install third-party malware on infected computers.”

Smoke Loader’s newly discovered variant is a valid example of how cybercriminals continue to upgrade their tools to elevate their attacks. Adding new tricks to old tools allows attackers to circumvent outdated or unprotected systems, thereby expanding their attacks.

“We have seen that the trojan and botnet market is constantly undergoing changes. The players are continuously improving their quality and techniques,” Cisco Talos researchers said. “They modify these techniques on an ongoing basis to enhance their capabilities to bypass security tools. This clearly shows how important it is to make sure all our systems are up to date.”