A Brief History of SmokeLoader, Part 2

SmokeLoader evolved from 2015 to 2022, introducing a binary network protocol, RC4-based encryption, and a modular stager that injects into explorer processes to download and execute payloads. Operation Endgame demonstrated its reach by remotely disinfecting thousands of infections in May 2024, underscoring the malware’s continuing impact and threat actor interest. #SmokeLoader #OperationEndgame #Win32.Downloader.Smokeloader

Keypoints

SmokeLoader’s development from 2015–2022 included major protocol, encryption, and anti-analysis enhancements.
2015–2017 saw a fixed field-based protocol; 2017 introduced a binary protocol and two hardcoded RC4 keys for encrypting requests and decrypting responses.
Starting in 2018, the stager module expanded anti-analysis capabilities and began injecting the main module into explorer.exe (PROPagate).
Code obfuscation intensified from 2018 onward (permutations, opaque predicates, stack obfuscation, RVA-based jumps) and nested XOR encryption layers in the stager.
From 2019–2022 SmokeLoader improved detection evasion (keyboard layout checks, OS version checks, and NT-level techniques) and manipulated ntdll loading to hinder analysis.
The malware’s C2 and plugin ecosystem evolved (formgrabber, password theft, keylogger, TeamViewer), with data exfiltration via BOT_DATA and base64 encoding.
Operation Endgame (May 2024) used SmokeLoader’s uninstall path to disinfect infections, illustrating both persistence and new defensive actions against the family.

MITRE Techniques

[T1055] Process Injection – PROPagate injection into the explorer process to run the main module. ‘the stager employs the PROPagate code injection method to inject the main module within the context of the explorer process.’
[T1497] Virtualization/Sandbox Evasion – Anti-analysis checks including keyboard layout checks and OS version gating. ‘the stager incorporates checks for keyboard layouts. If it detects Ukrainian or Russian languages, the infection process is halted. Additionally, the stager examines the OsMajorVersion field within the PEB structure and ceases execution for operating system versions below 6.’
[T1573] Encrypted Channel – C2 traffic protected by RC4, with keys embedded in the malware. ‘two different static RC4 keys to encrypt the requests and decrypt the responses.’
[T1027] Obfuscated/Compressed Files and Information – Nested XOR layers and various obfuscation techniques in the stager. ‘nested XOR layers, enhancing the encryption and obfuscation techniques employed.’
[T1132] Data Encoding – Use of base64 encoding for results and data in plugins. ‘BOT_DATA contains the base64 encoded results.’
[T1041] Exfiltration – Data from stealer plugins exfiltrated to C2; exfiltration described within plugin results. ‘Exfiltrates data produced by the stealer plugin. The BOT_DATA argument contains the base64 encoded results.’

Indicators of Compromise

[SHA256] 2012 – 857fc7aafbbf0d4c850c1b1585a72420600bdabe269f343c0c817614aa6c94cd
[SHA256] 2014 – e92d1c2c1e145c1d6c42dd402e75f46e5edfb2bab5539c4d103d345b5ac965a3
[SHA256] 2016 – 18aa1b79bbeee6a731b897377233d54b1b2464eeb9a25dafc0debfc43af8c04f
[SHA256] 2017 – 32ba1f3b96cf77a08c041d4983d6afa7db8e1948d27d6a8dd55b7bb95e493189
[SHA256] 2018 – b6ec96043dba7722cac4ed24b6979fc71a758bdf18ca44353c19194c172bf621
[SHA256] 2018 – 5727c2cd54b8408ca0f8e943cad61027a2c3d51da64f2f1224a6b9acc4820f8e
[SHA256] 2019 – fc20b03299b8ae91e72e104ee4f18e40125b2b061f1509d1c5b3f9fac3104934
[SHA256] 2019 – d5efd66f54dce6b51870e40a458fa30de366a2982ab2f83dddff5cb3349f654d
[SHA256] 2020 – 070a94ee0cd9ac1b1ed467353f5731e09cab136315447c04f53bc52d4fe3f8cc
[SHA256] 2020 – 7377efde4e4e86650ab8495f57ab4a76d4f8efe31e2962305b8c42a6cee70454
[SHA256] 2022 – c78bc4fb8955940b3ac9b52cb16744a61f8bdaf673fd64fc106465241c56cc6c

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print