Updated Smoke Loader Malware Spreads via Phishing Emails

Delaware, USA – December 27, 2018 – When the cybersecurity community is studying reports and making plans for the upcoming year, the criminals are still improving their weapons. The recently published investigation reveals the details of the malware attack which used a top-level domain registered by cybercriminals as a command and control server. Bulk mailing warning about fake tsunami with the link to confirm evacuation masqueraded as coming from Meteorological Agency and contained the Smoke Loader malware.

Suchlike bulk mailings also took place a while before, the fake emails from local electronics retailers contained Smoke Loader which installed modular backdoor capable of stealing credentials and installing additional malware, according to the experts’ analysis.
Smoke Loader is a geo-targeting modular loader used by cybercriminals since 2011 to install backdoors, ransomware, crypto miners, password stealers, PoS malware, banking Trojans, etc. It has different modules for 32 and 64 architecture that enable grabbing credentials from browsers and email programs; the malware uses PROPagate technique to inject them into Explorer.exe process. Smoke Loader is known for its flexibility which makes it even more deceptive and self-protective. Earlier this year, adversaries distributed this malware with a fake security update for Windows.

Don’t rush to unpack all your gifts, another thing coming from the box may delay your security plans and wishes would come true.
Threat Detection Marketplace customers can uncover the loader’s activity using SIEM tool and fresh Sigma rules:
Sysmon – https://tdm.socprime.com/tdm/info/1412/
Proxy/Firewall – https://tdm.socprime.com/tdm/info/1411/