Threat Research

SmokeLoader’s Plugins | Bitsight

Securonix

SmokeLoader has expanded beyond downloading and dropping other malware by offering plugins that harvest data from infected machines, including browser data, emails, cookies, and passwords. The Bitsight analysis dissects eight plugins (four 32-bit and four 64-bit) received from botnet “0020,” detailing how they decrypt, inject, and exfiltrate stolen data. #SmokeLoader #SmokeLoaderPlugins #botnet0020

Keypoints

  • SmokeLoader can download and use plugins to collect data from infected computers, notably browser and email data.
  • Plugins are encrypted and sent with a header that specifies the number, size, and ID of the plugins, along with a 15-byte RC4 key.
  • Unpacking relies on in-memory analysis; UPX metadata may be removed, requiring memory dumps and Import Address Table adjustments.
  • Eight plugins were recovered (4×32-bit, 4×64-bit), with 5 having unique functionality and 3 pairs implemented for both architectures.
  • Upon reception, the main module creates a new process, maps the plugin in memory, and passes three entry-point parameters to the plugin.
  • Some plugins run data-collection from disk, while others inject into processes to steal data directly from memory via hooked Windows APIs.

MITRE Techniques

  • [T1027] Obfuscated/Compressed Files or Information – SmokeLoader encrypts plugins with a 15-byte RC4 key and packages them with a header describing the number and size of plugins, followed by the encrypted content. ‘SmokeLoader sends encrypted plugins to the boots with a message that starts with a header that specifies the number of plugins, the combined size of them, a plugin marker, and a plugin ID. The header is followed by one or more plugin structures that specify the plugin size, its 15-byte RC4 key, and the encrypted plugin content.’
  • [T1055] Process Injection – The plugins are injected into target processes via a mapping approach using NtCreateSection/NtMapViewOfSection, a trampoline, and a CreateRemoteThread call. ‘Finally, the plugin will make a call to the API CreateRemoteThread within the target process’
  • [T1056] Input Capture – To steal data, plugins hook Windows APIs (e.g., PR_Write, HTTPSendRequestA/W, InternetWriteFile) to capture function arguments. ‘hooking to hijack the control flow that enters specific windows API… replacing the first few instructions of a function with a trampoline that jumps to the hooking function.’
  • [T1555.003] Credentials in Web Browsers – The plugins steal credentials from IE using vaultcli.dll and from various browser data files (Login Data, Cookies, Web Data) across Firefox, Chrome, Opera, Edge, and others. ‘Steal credentials from internet explorer using vaultcli.dll’ and ‘Steal “Login Data”, “Cookies” and “Web Data” files from Chrome, Opera, Chromium, Edge, Amigo, Go, QQBrowser’
  • [T1083] File and Directory Discovery – Some plugins search for specific files on disk and exfiltrate them. ‘Their purpose is looking for specific files on disk, and sending those to the C&C server.’

Indicators of Compromise

  • [SHA-256] Plugin payload hashes – e45f05c69821061719fbbfecd107db8200429ea23753d2b6106a9c6f74ffa47f, 36d59dcdf6860e27d7238b583e67560d2ed7795c4eaa884c10f0c5d20af53d79, and 6 more hashes
  • [File name] Browser data files – profiles.ini, Login Data

Read more: https://www.bitsight.com/blog/smokeloaders-plugins

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint