A recently detected Smoke Loader infection campaign is attempting to steal credentials from a broad range of applications, including web browsers, email clients, and more.
The attacks begin with malicious emails carrying a Word document as an attachment. Using social engineering, the attackers attempt to lure victims into opening the document and executing an embedded macro.
Once executed, the macro initiates a second stage and downloads the TrickBot malware, which instead fetches the Smoke Loader backdoor, Cisco Talos reports.
Smoke Loader has been long used as a downloader for various malware families, including banking Trojans, ransomware, and crypto-currency miners. In some of the previous campaigns, it was also used as a dropper for TrickBot, but it appears tables have turned now.
“Smoke Loader has often dropped Trickbot as a payload. This sample flips the script, with our telemetry showing this Trickbot sample dropping Smoke Loader. This is likely an example of malware-as-a-service, with botnet operators charging money to install third-party malware on infected computers,” Talos says.
The new backdoor variant, the security researchers reveal, doesn’t iterate through process lists to find a process to inject code into, but calls the Windows API GetShellWindow instead, then calls GetWindowThreadProcessId to get the process ID of evfdxplorer.exe. It also uses the PROPagate technique to inject code into Explorer.
First described in late 2017, the method hasn’t been adopted by another malware to date, and no public Proof-of-Concept (PoC) has been published to date. Smoke Loader is the first to use the technique, and FireEye too reported this last week.
The malware also includes a series of anti-analysis techniques, along with anti-debugging and anti-VM checks.
Unlike previous attacks, where Smoke Loader would drop additional payloads, the backdoor was observed receiving five plugins instead. Each plugin was executed in its own Explorer.exe process, but older techniques were used to inject each plugin into those processes. The attack ultimately results in six Explorer.exe processes running on the infected machine.
All of the plugins were designed to steal sensitive information from the victim machine and explicitly target stored credentials and sensitive information transferred over a browser.
The first plugin contains around 2,000 functions and targets Firefox, Internet Explorer, Chrome, Opera, QQ Browser, Outlook, and Thunderbird to steal hostname, username, and password data. Additionally, it attempts to steal information from the Windows Credential Manager, as well as POP3, SMTP, IMAP credentials.
The second plugin searches through directories for files to parse and exfiltrate. The third plugin injects into browsers to intercept credentials and cookies, the fourth attempts to steal credentials for ftp, smtp, pop3, and imap, while the fifth injects code into TeamViewer.exe for credential theft.
“We have seen that the Trojan and botnet market is constantly undergoing changes. The players are continuously improving their quality and techniques. They modify these techniques on an ongoing basis to enhance their capabilities to bypass security tools. This clearly shows how important it is to make sure all our systems are up to date,” Talos concludes.