Smoke Loader now arriving via EK, Malwarebytes analysis
A number of obfuscation tricks makes this malware difficult to detect.
Once distributed primarily via spam, the Smoke Loader bot has more recently been detected being spread by an exploit kit.
Its essential ingredients have not changed much over the years, but this just makes the malware easier to identify, according to an in-depth analysis presented in a post from Malwarebytes Labs.
The protocol used to communicate with the C&C server is now less descriptive, stripping out "many keywords that identifies its performed actions," the report stated. However, the traffic remains encrypted and its agenda is still the same: Download and deploy other modules.
Examining a payload from a recent RIG exploit kit campaign, Hasherezade, an independent researcher and programmer, said that the sample she detected of Smoke Loader (Dofoil), seems to be from 2015, though a compilation timestamp shows it was modified on June 10, 2016, hence a designation as v6.1. The bot has existed since at least 2011, but was quiet for a few years before Malwarebytes noticed it again.
What distinguishes it, she said, are a number of tricks it uses for deception and self protection. First, it injects itself into explorer.exe and deletes the original executable. From there, it reaches out to establish new connections from inside the explorer process. It then installs its original sample and subsequently replaces that with a new version it downloads from the C&C server, obfuscating its presence while adding its current samples and other downloaded executables to the Windows registry.
To further disguise its presence, Hasherezade wrote, the "timestamp of the dropped executable is changed, so that malware cannot be found by searching recently modified files." Reading or writing operations on it is not possible, in effect, blocking access to the file. Meanwhile, additional modules are constantly being downloaded and moved within the registry.
The malware further hides its activities by spewing out redundant traffic, sending requests to legitimate domains and it is packed with a crypter that sets up a layer of defense. While Hasherezade was able to dig past the crypter later to detect the main Smoke Loader executable, she said it needed further stripping of the code to get to the malicious core.
At this point, the code revealed further tricks the malware was performing, namely setting off a number of redundant jumps, making detection by static analysis tools incapable of detecting them. Also, the code modifies itself during execution, Hasherezade explained, further crippling efforts at detection.