SmokeLoader Rises From the Ashes

MITRE Techniques

• [T1059] Command and Scripting Interpreter – SmokeLoader uses injected shellcode and dynamic code decryption to execute payloads (‘implemented a new function to decrypt code blocks by adding a hardcoded value to each byte before execution’).
• [T1055] Process Injection – The stager injects the main module into explorer.exe and uses 64-bit shellcode for injection (‘inject the main module into explorer.exe’).
• [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – SmokeLoader establishes persistence via a scheduled task with names like “MicrosoftEdgeUpdateTaskMachine%hs” (‘the scheduled task that established persistence’).
• [T1112] Modify Registry (persistence-related changes) – (implied) persistence mechanisms and scheduled task naming changes used to maintain execution (‘Scheduled task name … MicrosoftEdgeUpdateTaskMachine%hs’).
• [T1497] Virtualization/Sandbox Evasion – The stager detects virtual environments and terminates if present to hinder analysis (‘stager has two main purposes: hinder analysis, detect virtual environments (and terminate if present)’).
• [T1105] Ingress Tool Transfer – Primary function is to download and execute second-stage payloads from C2 servers (‘Smoke’s primary function is to download and execute second stage malware’).
• [T1027] Obfuscated Files or Information – Constants and protocol fields are obfuscated (XOR with hardcoded values, RC4, CRC32 additions) to hinder static detections (‘various constants are obfuscated using a simple function that performs an XOR operation with a hardcoded value’).
• [T1608] Stage Capabilities (modular plugins) – Uses optional plugin framework for credential harvesting, browser hijacking, crypto mining, and DDoS tasks (‘modular plugin framework that is capable of credential harvesting, browser hijacking, cryptocurrency mining, and more’).