Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

New Smoke Loader Attack Targets Multiple Credentials

A recently detected Smoke Loader infection campaign is attempting to steal credentials from a broad range of applications, including web browsers, email clients, and more.

A recently detected Smoke Loader infection campaign is attempting to steal credentials from a broad range of applications, including web browsers, email clients, and more.

The attacks begin with malicious emails carrying a Word document as an attachment. Using social engineering, the attackers attempt to lure victims into opening the document and executing an embedded macro.

Once executed, the macro initiates a second stage and downloads the TrickBot malware, which instead fetches the Smoke Loader backdoor, Cisco Talos reports.

Smoke Loader has been long used as a downloader for various malware families, including banking Trojans, ransomware, and crypto-currency miners. In some of the previous campaigns, it was also used as a dropper for TrickBot, but it appears tables have turned now.

“Smoke Loader has often dropped Trickbot as a payload. This sample flips the script, with our telemetry showing this Trickbot sample dropping Smoke Loader. This is likely an example of malware-as-a-service, with botnet operators charging money to install third-party malware on infected computers,” Talos says.

The new backdoor variant, the security researchers reveal, doesn’t iterate through process lists to find a process to inject code into, but calls the Windows API GetShellWindow instead, then calls GetWindowThreadProcessId to get the process ID of evfdxplorer.exe. It also uses the PROPagate technique to inject code into Explorer.

First described in late 2017, the method hasn’t been adopted by another malware to date, and no public Proof-of-Concept (PoC) has been published to date. Smoke Loader is the first to use the technique, and FireEye too reported this last week.

The malware also includes a series of anti-analysis techniques, along with anti-debugging and anti-VM checks.

Advertisement. Scroll to continue reading.

Unlike previous attacks, where Smoke Loader would drop additional payloads, the backdoor was observed receiving five plugins instead. Each plugin was executed in its own Explorer.exe process, but older techniques were used to inject each plugin into those processes. The attack ultimately results in six Explorer.exe processes running on the infected machine.

All of the plugins were designed to steal sensitive information from the victim machine and explicitly target stored credentials and sensitive information transferred over a browser.

The first plugin contains around 2,000 functions and targets Firefox, Internet Explorer, Chrome, Opera, QQ Browser, Outlook, and Thunderbird to steal hostname, username, and password data. Additionally, it attempts to steal information from the Windows Credential Manager, as well as POP3, SMTP, IMAP credentials.

The second plugin searches through directories for files to parse and exfiltrate. The third plugin injects into browsers to intercept credentials and cookies, the fourth attempts to steal credentials for ftp, smtp, pop3, and imap, while the fifth injects code into TeamViewer.exe for credential theft.

“We have seen that the Trojan and botnet market is constantly undergoing changes. The players are continuously improving their quality and techniques. They modify these techniques on an ongoing basis to enhance their capabilities to bypass security tools. This clearly shows how important it is to make sure all our systems are up to date,” Talos concludes.

Related: Microsoft Detects Massive Dofoil Attack

Related: TrickBot Gets Computer Locking Capabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...