Smoke Loader

Smoke Loader is a malicious bot application that can be used to load other malware.Smoke Loader has been seen in the wild since at least 2011 and has included a number of different payloads. It is notorious for its use of deception and self-protection. It also comes with several plug-ins. [1] [2]

ID: S0226
Associated Software: Dofoil
Platforms: Windows
Version: 1.3
Created: 18 April 2018
Last Modified: 11 April 2024

Associated Software Descriptions

Name Description

[1] [2]

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Smoke Loader uses HTTP for C2.[1]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Smoke Loader adds a Registry Run key for persistence and adds a script in the Startup folder to deploy the payload.[1]

Enterprise T1059 .005 Command and Scripting Interpreter: Visual Basic

Smoke Loader adds a Visual Basic script in the Startup folder to deploy the payload.[1]

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Smoke Loader searches for credentials stored from web browsers.[3]

Enterprise T1140 Deobfuscate/Decode Files or Information

Smoke Loader deobfuscates its code.[3]

Enterprise T1114 .001 Email Collection: Local Email Collection

Smoke Loader searches through Outlook files and directories (e.g., inbox, sent, templates, drafts, archives, etc.).[3]

Enterprise T1083 File and Directory Discovery

Smoke Loader recursively searches through directories for files.[3]

Enterprise T1105 Ingress Tool Transfer

Smoke Loader downloads a new version of itself once it has installed. It also downloads additional plugins.[1]

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

Smoke Loader uses a simple one-byte XOR method to obfuscate values in the malware.[1][3]

Enterprise T1055 Process Injection

Smoke Loader injects into the Internet Explorer process.[3]

.012 Process Hollowing

Smoke Loader spawns a new copy of c:\windows\syswow64\explorer.exe and then replaces the executable code in memory with malware.[1][2]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Smoke Loader launches a scheduled task.[3]

Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

Smoke Loader searches for files named logins.json to parse for credentials.[3]

Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

Smoke Loader scans processes to perform anti-VM checks. [3]