Smoke Loader

Smoke Loader is a malicious bot application that can be used to load other malware. Smoke Loader has been seen in the wild since at least 2011 and has included a number of different payloads. It is notorious for its use of deception and self-protection. It also comes with several plug-ins. [1] [2]

ID: S0226
Aliases: Smoke Loader, Dofoil
Platforms: Windows

Version: 1.0

Alias Descriptions

Smoke Loader[1] [2]
Dofoil[1] [2]

Techniques Used

EnterpriseT1081Credentials in FilesSmoke Loader searches for files named logins.json to parse for credentials and also looks for credentials stored from browsers.[3]
EnterpriseT1140Deobfuscate/Decode Files or InformationSmoke Loader deobfuscates its code.[3]
EnterpriseT1114Email CollectionSmoke Loader searches through Outlook files and directories (e.g., inbox, sent, templates, drafts, archives, etc.).[3]
EnterpriseT1083File and Directory DiscoverySmoke Loader recursively searches through directories for files.[3]
EnterpriseT1027Obfuscated Files or InformationSmoke Loader uses a simple one-byte XOR method to obfuscate values in the malware.[1][3]
EnterpriseT1093Process HollowingSmoke Loader spawns a new copy of c:\windows\syswow64\explorer.exe and then replaces the executable code in memory with malware.[1][2]
EnterpriseT1055Process InjectionSmoke Loader injects into the Internet Explorer process.[3]
EnterpriseT1060Registry Run Keys / Startup FolderSmoke Loader adds a Registry Run key for persistence and adds a script in the Startup folder to deploy the payload.[1]
EnterpriseT1105Remote File CopySmoke Loader downloads a new version of itself once it has installed. It also downloads additional plugins.[1]
EnterpriseT1053Scheduled TaskSmoke Loader launches a scheduled task.[3]
EnterpriseT1064ScriptingSmoke Loader adds a Visual Basic script in the Startup folder to deploy the payload.[1]
EnterpriseT1071Standard Application Layer ProtocolSmoke Loader uses HTTP for C2.[1]
EnterpriseT1195Supply Chain CompromiseSmoke Loader was distributed through a compromised update to a Tor client with a coin miner payload.[2]