Smoke is a long-standing malware loader that delivers second‑stage payloads and can extend its functionality with plugins. Operation Endgame disrupted Smoke’s infrastructure and enabled remote cleanup of infections. #SmokeLoader #Endgame #RaspberryRobin #Stealc #StopRansomware
Keypoints
- In May 2024, Zscaler ThreatLabz’s analysis supported an international law enforcement operation known as Endgame to take over Smoke’s infrastructure and remotely uninstall the malware.
- Smoke is a malware downloader dating back to 2011 that delivers second‑stage payloads, including information stealers and ransomware, often via a crimeware kit model.
- Smoke can deploy custom plugins to extend its functionality, such as mining cryptocurrency, harvesting credentials, and hijacking browser data.
- Endgame disrupted Smoke’s command and control infrastructure, enabling remote cleanup of infections.
- Smoke uses persistence and anti‑analysis techniques, including a unique bot ID, mutex usage, and various persistence methods (e.g., scheduled tasks, startup items, hidden attributes).
- Network communication uses HTTP POST to hardcoded C2 servers with RC4‑encrypted payloads, and a defined set of commands (e.g., uninstall, update).
MITRE Techniques
- [T1071.001] Web Protocols – Smoke uses HTTP POST to hardcoded C2 servers to receive commands and data. Quote: “Network communications utilize HTTP POST requests to one or more hardcoded command-and-control (C2) servers.”
- [T1027] Obfuscated/Compressed Information – The C2 response/payload is encrypted with a hardcoded RC4 key. Quote: “The HTTP POST body includes a packet structure that is encrypted using a hardcoded RC4 key.”
- [T1547] Boot or Logon Autostart Execution – Persistence mechanisms include a mutex name, executable filename, plugins’ filename, and a scheduled task name, plus startup folder artifacts. Quote: “Other persistence mechanisms… Registry value / LNK shortcut in startup folder.”
- [T1564.001] Hide Artifacts: Hidden Files and Directories – Smoke hides its executable and plugins by setting file attributes to SYSTEM and HIDDEN. Quote: “All versions of Smoke try to hide the executable file and plugins by setting the file attributes to SYSTEM and HIDDEN.”
- [T1053] Scheduled Task/Job – The malware uses scheduled task names for persistence across versions (e.g., Opera scheduled Autoupdate %u). Quote: “Scheduled task name” and examples such as “Opera scheduled Autoupdate %u”.
- [T1070.004] File Deletion – The uninstall process deletes the executable, plugins, and scheduled task as part of cleanup. Quote: “Deletes the Smoke executable, plugins file, and scheduled task.”
Indicators of Compromise
- [Domain] Smoke C2 domains – akmedia.in, bethesdaserukam.org, and other Smoke C2 domains
- [Domain] Additional Smoke C2 domains – galandskiyher5.com, gxutc2c.com
Read more: https://www.zscaler.com/blogs/security-research/operation-endgame-smoke