win.smokeloader (Back to overview)

SmokeLoader

aka: Dofoil
URLhaus            

The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.

References
https://cloudblogs.microsoft.com/microsoftsecure/2018/04/04/hunting-down-dofoil-with-windows-defender-atp/
https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet/
https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html
https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/
https://info.phishlabs.com/blog/smoke-loader-adds-additional-obfuscation-methods-to-mitigate-analysis
https://www.spamhaus.org/news/article/774/smoke-loader-improves-encryption-after-microsoft-spoils-its-campaign
https://eternal-todo.com/blog/smokeloader-analysis-yulia-photo
https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe
https://blog.malwarebytes.com/cybercrime/2018/01/fake-spectre-and-meltdown-patch-pushes-smoke-loader/
https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/
https://int0xcc.svbtle.com/a-taste-of-our-own-medicine-how-smokeloader-is-deceiving-dynamic-configuration-extraction-by-using-binary-code-as-bait
https://www.cert.pl/en/news/single/dissecting-smoke-loader/
https://blog.badtrace.com/post/anti-hooking-checks-of-smokeloader-2018/
Yara Rules
[TLP:WHITE] win_smokeloader_auto (20180607 | autogenerated rule brought to you by yara-signator)
rule win_smokeloader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2018-11-23"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader"
        malpedia_version = "20180607"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 8bf0 8d45dc 50 6a00 }
            // n = 4, score = 7000
            //   8bf0                 | mov                 esi, eax
            //   8d45dc               | lea                 eax, dword ptr [ebp - 0x24]
            //   50                   | push                eax
            //   6a00                 | push                0

        $sequence_1 = { 8bf0 8d45dc 50 6a00 53 }
            // n = 5, score = 7000
            //   8bf0                 | mov                 esi, eax
            //   8d45dc               | lea                 eax, dword ptr [ebp - 0x24]
            //   50                   | push                eax
            //   6a00                 | push                0
            //   53                   | push                ebx

        $sequence_2 = { 8d45e8 50 8d45e0 50 56 }
            // n = 5, score = 7000
            //   8d45e8               | lea                 eax, dword ptr [ebp - 0x18]
            //   50                   | push                eax
            //   8d45e0               | lea                 eax, dword ptr [ebp - 0x20]
            //   50                   | push                eax
            //   56                   | push                esi

        $sequence_3 = { 50 8d45e8 50 8d45e0 50 56 }
            // n = 6, score = 7000
            //   50                   | push                eax
            //   8d45e8               | lea                 eax, dword ptr [ebp - 0x18]
            //   50                   | push                eax
            //   8d45e0               | lea                 eax, dword ptr [ebp - 0x20]
            //   50                   | push                eax
            //   56                   | push                esi

        $sequence_4 = { 8d45f0 50 8d45e8 50 8d45e0 50 56 }
            // n = 7, score = 7000
            //   8d45f0               | lea                 eax, dword ptr [ebp - 0x10]
            //   50                   | push                eax
            //   8d45e8               | lea                 eax, dword ptr [ebp - 0x18]
            //   50                   | push                eax
            //   8d45e0               | lea                 eax, dword ptr [ebp - 0x20]
            //   50                   | push                eax
            //   56                   | push                esi

        $sequence_5 = { 7505 897dfc eb22 8d45ec }
            // n = 4, score = 5000
            //   7505                 | jne                 0x222888
            //   897dfc               | mov                 dword ptr [ebp - 4], edi
            //   eb22                 | jmp                 0x2228aa
            //   8d45ec               | lea                 eax, dword ptr [ebp - 0x14]

        $sequence_6 = { 8a5c1eff 3a1c07 750a 40 }
            // n = 4, score = 5000
            //   8a5c1eff             | mov                 bl, byte ptr [esi + ebx - 1]
            //   3a1c07               | cmp                 bl, byte ptr [edi + eax]
            //   750a                 | jne                 0x222bee
            //   40                   | inc                 eax

        $sequence_7 = { 59 75e2 5f 8b4724 }
            // n = 4, score = 5000
            //   59                   | pop                 ecx
            //   75e2                 | jne                 0x222916
            //   5f                   | pop                 edi
            //   8b4724               | mov                 eax, dword ptr [edi + 0x24]

        $sequence_8 = { 8b5720 01da 49 51 }
            // n = 4, score = 5000
            //   8b5720               | mov                 edx, dword ptr [edi + 0x20]
            //   01da                 | add                 edx, ebx
            //   49                   | dec                 ecx
            //   51                   | push                ecx

        $sequence_9 = { 6a00 8b4508 83c0fc 50 }
            // n = 4, score = 5000
            //   6a00                 | push                0
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   83c0fc               | add                 eax, -4
            //   50                   | push                eax

    condition:
        7 of them
}
Download all Yara Rules