Cyble – New Laplas Clipper Distributed Via SmokeLoader

MITRE Techniques

• [T1203] Exploitation for Client Execution – SmokeLoader is distributed via malicious documents such as Word/PDF documents, sent through spam emails, or targeted spear-phishing attacks. ‘Generally, the SmokeLoader is either distributed via malicious documents such as Word/PDF documents, sent through spam emails, or targeted spear-phishing attacks.’
• [T1204] User Execution – The initial infection happens via spam email, so the enterprise should use email-based security to detect phishing emails. ‘The initial infection happens via spam email, so the enterprise should use email-based security to detect phishing emails.’
• [T1053] Scheduled Task/Job – The clipper creates a persistence mechanism via a scheduled task: ‘cmd.exe /C schtasks /create /tn {0} /tr ”{1}” /st 00:00 /du 9999:59 /sc once /ri 1 /f’
• [T1055] Process Injection – Upon execution, the malware loads a new module named “build.exe” in memory to perform clipper activities. ‘the clipper loads a new module named “build.exe” in memory which performs the clipper activities.’
• [T1027] Software Packing – The sample is VB.NET and protected by VMProtect, illustrating packing/obfuscation: ‘The sample … is compiled using VB.NET and protected by VMProtect.’
• [T1562] Defense Evasion – VMProtect and packing/obfuscation used to hinder analysis: ‘Software Packing’ and ‘Virtualization/Sandbox Evasion’ (VMProtect).
• [T1071] Application Layer Protocol – The clipper downloads additional malware and communicates with C2 URLs: ‘downloads additional malware from the following URLs.’
• [T1105] Ingress Tool Transfer – The downloader fetches SystemBC/RecordBreaker/Laplas from remote URLs: ‘downloads additional malware from the following URLs.’
• [T1082] System Information Discovery – The malware targets system information like Windows usernames and volume serial numbers as part of its operations: ‘stealing Windows usernames, volume serial numbers.’