Vol.101 aa» AS=C — Report Vol.101 Ahnlab ASEC (AhnLab Security Emergency-response Center) is a global security response group consisting of malware analysts and security experts. This report is published by ASEC and focuses on the most significant security threats and latest security technologies to guard against such threats. For further details, please visit AhnLab, Inc.’s homepage (www.ahnlab.com). Report Vol.101 2020 Q4 Contents Smoke Loader Learns New Tricks Overview of Smoke Loader's Operation 04 Analysis of Injector 05 Analysis of Main Bot 11 Analysis of Plugin 20 Conclusion 38 3Report 101 Smoke Loader, a malware first discovered in 2011, has been continuously used and distributed by attackers ever since. Smoke Loader was in steady demands by attackers due to its various features and detection bypass techniques, which helped distribute CoinMiner malware. According to the weekly malware statistics, ASEC (AhnLab Security Emergency-response Center) discovered that Smoke Loader has been consistently distributed until very recently. The latest version of Smoke Loader was being distributed via an exploit kit and was acting as a medium to distribute ransomware. Also it was found using a different mapping injection technique, which copies shellcode into a different process using memory-mapped files. This report will introduce the analysis of Smoke Loader’s latest operation. In detail, we will take a closer look at the different injection methods. Smoke Loader Learns New Tricks 4Report 101 1. Overview of Smoke Loader's Operation Smoke Loader in itself is closer to a downloader in terms of features. However, most of the plugins it supports have info stealer features, and it also supports plugins, such as DDoS. This implies that attackers can use Smoke Loader to download other malware, leak user information with various plugins, or simply as a DDoS botnet. Smoke Loader’s operation method is as follows: When Smoke Loader is executed, it injects a malicious shellcode into ‘explorer.exe,’ a normal process. However, the actual behavior is executed by ‘explorer.exe.’ It first connects to the C&C server and receives a command. In response to the command it can perform its tasks as a downloader that downloads additional malware from external sources. Afterward, it decrypts plugins received from the C&C server, runs another explorer.exe as a child process, and injects plugins with various features. Recently-sighted Smoke Loader was being distributed via the exploit kit, and at the time of the analysis, it was seen additionally downloading Stop ransomware. This meant that it was being used as a medium for ransomware distribution, and even if that was not the case, it could have downloaded additional malware at any time the attacker wished. When it was not operating as a downloader of additional malware, it acted as a DDoS botnet that received commands to launch a DDoS attack against specific addresses. Judging by the signature that exists in the binary of the Smoke Loader mentioned in this report, it can be assumed that this Smoke Loader is the 2020 version. Since it is the latest version, it differs significantly from that of the older versions in the context of injection methods. When injecting, Smoke Loader's latest version uses mapping injection by using memory-mapped file to copy the shellcode into a different address. This is the main difference between the older samples that used PROPagate technique for injection. 5Report 101 2. Analysis of Injector Smoke Loader is divided into the injector and the main bot. Injector, through analysis disruption technique and Clone DLL technique, injects the main bot into the explorer.exe, which is a normal process. The main bot carries out malicious behaviors such as communicating with the C&C server. Then, the injectors perform tasks related to analysis disruption and injection. There are also features aside from the items below. The malware first checks the language currently being used. If the language is Russian, it exits. The malware also checks for the integrity level of the current process, and if the level is lower than the medium level, it gives ‘runas’ factor, calls ShellExecuteExW() function, and restarts. This is because explorer.exe runs on a medium level. If the process that performs injection is of a lower level, the injection cannot be carried out, and further malicious behavior cannot be executed. 2.1. Analysis of disruption technique This section will introduce three major analysis disruption techniques among the techniques used by Smoke Loader: Anti Debugging, Anti VM, and Anti Sandbox. Note that because most of Smoke Loader's code is obfuscated and encrypted, as the codes are executed the process of decrypting codes to run afterwards is repeated. Also, when obtaining addresses of used functions, instead of directly calling GetProcAddress() API, it refers to PEB struct and directly obtains them. 1) Anti Debugging The Anti Debugging method first reads PEB struct and scans BeingDebugged flag located at +0x02 offset. If debugging is in progress, this flag is set to 1, and terminates. 6Report 101 Afterward, it scans NtGlobalFlag flag that is located at +0x68 of PEB struct. Usually, this flag has the value of 0x00, but when it is executed due to debugger, it gains the value of 0x70, and terminates. As a last step, it uses NtQueryInformationProcess() function. If calling this function after giving ProcessDebugPort as an argument, and the debugging is in process, -1 ( 0xFFFFFFFF) is returned. This means that the anti-debugging method used in Smoke Loader has various debugger detecting routines than the mentioned obfuscation and encryption methods. 2) Anti VM Anti VM method reads subkeys of the registry keys in Table 1 and confirms the virtual machine's strings. Table 2 shows strings that scan and virtual machines with the following strings. Table 1. Subkeys of the registry key - HKLM\System\CurrentControlSet\Enum\IDE - HKLM\System\CurrentControlSet\Enum\SCSI - Qemu : "qemu" - KVM : "virtio" - VMWare : "vmware" - VirtualBox : "vbox" - XEN : "xen" Table 2. Virtual machines that satisfy string condition 7Report 101 Table 3. Checking to confirm whether virtual machine-related processes are running Table 4. Scan for virtual machine-related strings - Qemu : "qemu-ga.exe", "qga.exe" - VirtualBox : "vboxsservice.exe", "vboxtray.exe" - VMWare : "vmtoolsd.exe" - Parallels : "prl_tools.exe" - VMWare : "vmci.s" (vmci.sys), "vmusbm" (vmusbmouse.sys), "vmmous" (vmmouse.sys), "vm3dmp" (vm3dmp.sys), "vmrawd" (vmrawdsk.sys), "vmmemc" (vmmemctl.sys) - VirtualBox : "vboxgu" (VBoxGuest.sys), "vboxsf" (VBoxSF.sys), "vboxmo" (VBoxMouse.sys), "vboxvi" (VBoxVideo.sys), "vboxdi" (vboxdisp.sys) - KVM : "vioser" (vioser.sys) Then, it assigns SystemInformationClass as SystemProcessesAndThreadsInformati on (0x5), and calls function RtlGetNativeSystemInformation(). As a result of calling this API, it earns a list of running processes and checks whether processes related to virtual machines are running, as shown in Table 3. Afterward, it assigns SystemInformationClass as SystemModuleInformation (0xB), and calls function RtlGetNativeSystemInformation(). Information of modules loaded to kernel area can be obtained through this, and then it scans for strings related to the virtual machine. 3) Anti Sandbox and Anti-malware Bypass In the analysis above, the malware used RtlGetNativeSystemInformation() to obtain a list of running processes and ultimately scan virtual machines. ‘windanr.exe’ from 8Report 101 Table 5, along with virtual machine related strings listed above, are the names of processes targeted for the scan. This process name is known to be running in a sandbox environment called ANY RUN. This means that the Smoke Loader does not continue with the behavior and terminates in a specific sandbox environment. In a 64-bit environment, the malware additionally checks whether the current Windows OS was run as test mode. It assigns SystemInformationClass as System CodeIntegrityInformation(0x67), calls function NtQuerySystemInformation(), and checks whether the result value is CODEINTEGRITY_OPTION_TESTSIGN (0x2). In the latest 64-bit Windows OS, only the drivers that are normally signed can be loaded. Test mode environment, however, allows unsigned drivers to be loaded for driver developers. It can be assumed that attackers scan such an environment because there are cases of setting virtual machines in test mode for driver analysis in sandbox environments. According to the routine, however, the malware does not scan to find out whether CODEINTEGRITY_OPTION_TESTSIGN flag or 0x2 is included, but instead, scans for whether the value is precisely obtained. Thus, it can be assumed that if another option such as kernel mode integrity scan (CODEINTEGRITY_OPTION_ ENABLED) is set, it does not work as intended. Additionally, it gives strings, shown in Figure 6, an argument and calls GeModule- HandleA() API to checks whether there are DLLs (modules) with those names among the modules loaded to the current process. Among these, sbiedll.dll is a DLL that is loaded in a sandbox environment called Sandboxie, and aswhook.dll and snxhk.dll are DLLs loaded if an anti-malware product named Avast is installed. Table 5. Argument of string - ANY.RUN : “windanr.exe” 9Report 101 This means that the malware scans currently loaded modules to check whether the current environment is a sandbox environment or if a specific anti-malware product is installed. 2.2. Clone DLL Technique Next, the report will examine ‘clone DLL technique,’ which Smoke Loader uses to bypass user-mode hooking. Smoke Loader copies ntdll.dll located at System32 directory to Temp directory as four random string names, like 44DA.tmp. Afterward, it loads them as functions of LdrLoadDll(). If ntdll.dll is also loaded to the current process with the directory changed, the DLL is loaded to the process again, as shown in Figure 1. For a sandbox-based security solution or anti-malware solution, DLL for monitoring purposes is injected into the process. Injected monitoring DLL hooks key API functions, and ntdll.dll is commonly targeted as a primary target. When calling API in a malware process hooked by monitoring DLL, it goes through monitoring DLL, allowing the monitoring of the malware’s behavior. Table 6. Argument of strings - Sandboxie : “sbiedll” - Avast : "aswhook", "snxhk" Figure 1. Newly loaded ntdll.dll 10Report 101 In an environment where monitoring DLL is hooking API functions of current ntdll. dll, it is impossible to monitor the malware process because Smoke Loader loads a new ntdll.dll and calls API of the new ntdll.dll instead of APIs of the current ntdll.dll, preventing the existing hooked APIs from being called. The related technique was discussed in ASEC Report Vol.97, ‘ANALYSIS IN-DEPTH: User-Mode Hooking Bypass Techniques.‘ Go to ASEC Report Vol.97 2.3. Injection Smoke Loader then injects the main bot, the substantial task performer, into the running Windows Explorer (explorer.exe). For API functions used at this time, functions of ntdll.dll newly loaded by Clone DLL technique are used. The injected data is encoded with the XOR key and is compressed. The current sample, from size 0x402DD9 to 0x2D02, is compressed and encoded data, and this data is XOR-decoded with the 0x80356B70 key. The result of this decoding is compressed with the LZ compression algorithm, and the malware uses the RtlDecompressBuffer() function to decompress it. Note that Smoke Loader is based on 32-bit OS, and in 64-bit OS, as explorer.exe is a 64-bit process, Smoke Loader encrypts and decompresses the 64-bit shellcode. 64-bit shellcode starts from 0x405ADB, which is right behind the 32-bit shellcode and has the size of 0x3CA5. Figure 2 shows the value of different data by architecture. Figure 2. Different data by architecture https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.97_ENG.pdf 11Report 101 Older version of Smoke Loader used an injection method called PROPagate, but recently-found samples used mapping injection techniques, which uses shared memory-mapped file. This injection method is used when the injector is injecting the main bot into the explorer.exe and the main bot is injecting plugins. The malware first creates a section object and uses NtMapViewOfSection() function to map explorer.exe, a process targeted for injection, and the current process. Afterwards, when the data is copied to the mapped memory area of the current local process, data is used in a shared memory area in regards to the memory of the process targeted for injection. Other than the main bot shellcode, Smoke Loader also creates a section for the purpose of sending the directory name of the current malware and allocating memory to use in the future, repeating the above process twice. After injecting, the malware uses RtlCreateThread() function to operate the main bot injected in explorer.exe as a thread. 3. Analysis of Main Bot Smoke Loader’s main bot is a part that contains substantial features, and it operates after being injected into the explorer.exe. As explorer.exe, a normal process, runs internally, malicious behavior that Smoke Loader performs is seen as an activity of a normal process, which can complicate the malware detection process. The first task the main bot performs is creating two threads with features of ending the analysis tools by force. Since these threads operate repeatedly, analysis programs running in an environment that Smoke Loader is installed are shut down, it will shut down even if it is executed again. 12Report 101 Next, communication with the C&C server takes place. The first set of data Smoke Loader receives consists of encoded commands and plugins. These plugins are encoded and saved in a file format. Then, the malware follows a decrypted command and recieves an external download URL. It serves as a downloader that downloaded additional malware. When additional malware is downloaded and executed the malware reads the codes again and decodes the file where encoded plugins are saved, runs explorer.exe as a child process, and injects into it. Note that, as shown in the process tree of Figure 3, the malware injects to each explorer.exe of each plugin. Thus, the user can check how many plugins are being operated by checking the number of explorer.exe created as child processes. Figure 3. Process Tree 13Report 101 3.1. Anti Analysis Tools The main bot creates two threads that perform tasks of scanning file name and Windows class, as shown below, and then ends the analysis tools by force. 1). File Name Scan The first thread gathers the file name of the running processes, and if they match the termination target, it ends the processes forcefully. Fifteen process names exist in the hash format as shown below. Note that because the key value of each sample is different, the hash value is different for each sample. Below is the list of force termination targets, which are mostly debuggers and monitoring tools. Table 7. Hash value by the process 0x21A0BCF0 - autoruns.exe 0x84995207 - procexp.exe 0x537D7F12 - procexp64.exe 0x8CB85509 - Procmon.exe 0x506F17CF - procmon64.exe 0x91974808 - tcpview.exe 0x50ADED5F - wireshark.exe 0x5B91613B - ProcessHacker.exe 0x9AB77207 - ollydbg.exe 0x07D90D1B - x32dbg.exe 0x39D9001C - x64dbg.exe 0x7BB74749 - idaq.exe 0x7BB74163 - idaw.exe 0x7E2CA0CC - idaq64.exe 0x4406A0CC - idaw64.exe 14Report 101 2) Windows Class Check The second thread finds the current Windows classes, and if they match Windows class strings for termination, the thread terminates the process with that Windows class. Figure 4. Windows class check and termination routine As seen in Table 8, there are 8 Windows class strings, and the targets are debuggers and monitoring programs, identical to the filenames. Table 8. Hash value by the process 0x16BD5185 - Autoruns 0x3A807BB2 - PROCEXPL 0xE292B92B - PROCMON_WINDOW_CLASS 0x15A64B2D - TCPViewClass 0x1D75A7DD - (Unconfirmed) 0x08839CF8 - ProcessHacker 0xC9A06FCC - OllyDbg 0x15A764A4 - WinDbgFrameClass 3.2. Registering and Copying Task Scheduler Smoke Loader then copies the original malware as a random name into directory ‘\AppData\Roaming\.’ It removes zone identifier in copied files that contains download history, and then adds them to the task scheduler. The COM object is 15Report 101 Figure 5 shows the task scheduler file that has been created. Table 9. CLSID and IID of COM object - CLSID TaskScheduler class : {0f87369f-a4e5-4cfc-bd3e-73e6154572dd} - IID ITaskService : {2FABA4C7-4DA9-4013-9697-20CC3FD40F85} used to add to the task scheduler, and the interval is set to 10 min. Table 9 shows CLSID and IID of COM that is used to add to the task scheduler. Figure 5. Task scheduler file created 3.3. C&C Communication The task it performs next is communicating with the C&C server after decrypting and obtaining its server address. The C&C server addresses that exist in the current sample are shown in Table 10. Smoke Loader attempts to communicate with the 16Report 101 Before connecting to the C&C server, it first looks for a bot ID. Since a bot ID is created based on the currently installed environment, it can be seen as a unique ID of the currently running Smoke Loader. When creating a bot ID, computer name that is obtained using GetComputerNameA(), volume serial number that is obtained using GetVolumeInformationA(), and hard-coded value 0x25A56A90 is used. Bot ID is the one obtained after using these values to obtain MD5. The malware, upon making further requests, creates a packet to use. The first is 0x07E4, and this means 2020 in decimal number. Seeing as the samples in the past had a value of 2017 and 2018, it can be assumed that this version was developed in 2020. This value is used as a method of verification when communicating with the C&C server later on. Aside from this, it also adds values such as computer name and ‘10001’ (0x2711) then encodes them with the rc4 algorithm. Figure 6 shows the content of the packet to send to the C&C server. Table 10. C&C server list http://rexstat35x[.]xyz/statweb955/ http://dexspot2x[.]xyz/statweb955/ http://atxspot20x[.]xyz/statweb955/ http://rexspot7x[.]xyz/statweb955/ http://fdmail85[.]club/statweb955/ http://servicem977x[.]xyz/statweb955/ http://advertxman7x[.]xyz/statweb955/ http://starxpush7x[.]xyz/statweb955/ C&C servers one at a time. If it fails to communicate with one server, it will attempt to connect to the next server address. 17Report 101 Afterwards, it can receive an encoded response upon sending a POST request to the C&C server. When requesting a packet that is designated ‘10001,’ the response received from the C&C server consists of additional commands for Smoke Loader to execute, encoded plugins, and additional commands for the plugins. 3.4. C&C Command As for response data, the first 4-byte is the length of the C&C server that is located next, and the proportion of this size is decoded. For example, for data shown in Figure 7, the size of the command is about 0x87. Figure 6. Content of the packet to send to the C&C server Figure 7. Encoded commands The first 4-byte represent the size of the C&C server commands and how much will be decoded. In the example of Figure 8, the size of the command is 0x87. 18Report 101 Figure 11 shows the of the decoded commands. The very first thing that exists is 0x07E4, which is 2020 in decimal number. This value, as mentioned above, is assumed to represent the year 2020. It is hard-coded into binary and is used to check whether the command will be normally received from the C&C server. Next is the real C&C server command with the size of 1-byte. For C&C command, ‘i,' ‘r,' ‘u,’ and numbers can arrive. ‘r,’ as it contains routine that self-deletes added Figure 8. Decoded commands Table 11. ASCII analysis details -6|:|DDos (DDoS)_rules=6|https://nXXXXXXXXam.com/en/,|:||:|keylog_rules=iexplore.exe,opera.exe,chrome.exe,firefox.exe|:||:|plugin_ size=449864 - 0x07E4 (2020): Signature. - 0x36 (6): C&C command - |:| : Plugin command separator - DDoS (DDoS)_rules=6|https://nXXXXXXXXam.com/en/,: DDoS (DDoS) plugin-related command - |:||:| : Plugin command separator - keylog_rules=iexplore.exe,opera.exe,chrome.exe,firefox.exe: Keylogger plugin-related command - |:||:| : Plugin command separator - plugin_size=449864: Size of the encoded plugin 19Report 101 task scheduler and encoded plugin files created with files, is a removal command. ‘i,’ which connects to the C&C server and downloads and runs payload, is considered an install command. ‘u’ is similar to ‘i,’ but seeing that there is a routine that terminates processes that run plugins, is considered as upgrade command. Last, if a number is received instead of commands above, Smoke Loader attempts to connect to the C&C server as much as the number commanded and receives an encoded URL. Then it decodes this URL and performs the downloader feature by downloading additional files from the server and executing them. As shown in Figure 9, the packet number ‘10002’ is used when executing a command received from the C&C server. Remove command only sends the execution results. However, payloads for additional files can be received with install, upgrade, and commands with numbers. For the command that receives an additional payload, it runs the payload and sends packet number ‘10003’ at the end. Figure 9. Executing the command received from the C&C server 20Report 101 Next, there are commands related to plugins that are separated by a plugin command separator. These commands are later used by plugins. Last, there is plugin_size, which are header-encoded plugins. Its size is what is configured in front of plugin_size. These plugins are encoded and saved as a random name in \AppData\ directory, as shown in Figure 10. Note that the commands mentioned above are saved in memory-mapped files that were created with a bot ID name. This is to send commands to the plugins that will be injected into child process explorer.exe and be executed. 4. Analysis of Plugin When all procedures of the main bot are executed, Smoke Loader reads plugin data saved as a file format, runs explorer.exe as a child process, and injects each plugin. So far, ten plugins of Smoke Loader were confirmed, but it is known that it supports various other plugin types. 4.1. Account and Cookie Info Stealer Information of command used and packet transmitted for stealing user and cookie data is as follows: Figure 10. Files copied to \AppData\Roaming\ directory and plugin files 21Report 101 Smoke Loader’s plugin use similar methods to that of what ordinary info stealer malware use to perform feature of stealing account information and cookies from programs, such as web browsers and email clients. Note that for the main bot, packet number from 10001 to 10003 are used. Then, 10001 is used to send stolen information to the C&C server because it is the next number listed. The targets for plugin data leakage are listed in Table 13. For Firefox and Thunderbird, the plugin steals account information and cookies from the logins.json file and cookies.sqlite file, and the same goes for Chromium-based Table 12. Command and transmitted packet - Command: Not required - Transmitted packet: 10004 (x86) Figure 11. Packet 10004, which is used in this plugin Table 13. Targets for information leakage - Web Browser: FireFox, Internet Explorer, Edge, Chrome, Chromium, Amigo, QQBrowser, Yandex, Opera - Email Client: Outlook, Thunderbird - FTP Client: FileZilla, WinSCP 22Report 101 Figure 12. Outlook information leakage routine web browsers where the plugin steals account information and cookies from Login Data file and Cookies file. It also targets Windows Vault, which includes account information of Internet Explorer and Edge browser from its target. An outlook that includes account information in registry, registry key of WinSCP, and configuration files of FileZilla are also targets. 4.2. Process Monitoring Information of command used and packet transmitted for process monitoring is as follows: Table 15 shows an example of the command for an explanation. The command consists of the process name, three commands from 0 to 2, and unused numbers for distinction. Table 14. Command and transmitted packet - Command: "procmon_rules" - Transmitted packet: 10005, 10006 (x86) 23Report 101 This plugin periodically monitors processes, as shown in Figure 13, and when a process that matches the process name received as a command is confirmed, it executes the command that corresponds to each process name. For example, test1.exe has command 0, which is the downloader command. While monitoring, if a process running with test1.exe is confirmed, the plugin sends packet 10005 for the process name to the C&C server, then downloads and executes additional malware. Ultimately, the plugin transmits packet 10006 to the C&C server. test2.exe gains command 1, and if a process with that name is found while monitoring, it is terminated by force. test3.exe gains command two, which is a reboot command, and if process test3.exe is running, attempts reboot, as shown in Figure 14. Upon executing commands 1 and 2, it transmits packet 10006 to the C&C server and notifies whether the process was a success or not. Table 15. Command example - |:|procmon_rules=test1.exe|0?81,test2.exe|1?82,test3.exe|2?83 Figure 13. Command supported by the plugin 24Report 101 4.3. Web Browser Cookie Stealer Information of command used and packet transmitted for stealing web browser cookie is as follows: The plugin has a feature of stealing cookie info from a web browser. Instead of leaking cookie info that exists as the data file, it deletes pre-existing cookie files and leaks cookie data that is sent when the user connects to a website from the user's PC. Plugins with hooking feature, including this plugin, works as an injector when executed in explorer.exe, but also works when injected into other processes. This means that it has both the feature of injecting itself as an injector while monitoring certain processes. The feature of hooking also leaks information when acting in the process after being injected. Figure 14. Reboot command Table 16. Command and transmitted packet - Command: “fgclearcookies” - Transmitted packet: 10007 (x86) 25Report 101 The plugin first checks if there are ‘fgclearcookies’ among the commands received from the C&C server. If it exists, then it terminates all processes shown in Table 17. This is because if those processes are running, cookie deletion may fail. Next, it deletes cookie files that exists in file path, such as '\AppData\Local\ Google\Chrome\User Data\Default\Cookies", "\AppData\Local\Pakages\Microsoft. MicrosoftEdge_8wekyb3d8bbwe\.' It monitors running processes, and when a web browser, as shown in Table 18, is running, it injects itself. Figure 15. Injector and injected functions Table 17. List of terminated processes - iexplore.exe, microsoftedge.exe, microsoftedgecp.exe, firefox.exe, chrome.exe, opera.exe, browser.exe, plugin-container.exe Table 18. Processes for monitoring - firefox.exe, iexplorer.exe, chrome.exe, opera.exe, microsftedgecp.exe 26Report 101 The injected plugin hooks functions of DLLs, as shown in Table 19. Figure 16 shows codes that are responsible for hooking various APIs to obtain information. The plugin uses a slightly different method for Chrome and Opera web browsers. Instead of hooking functions of related DLLs, it hooks functions that process SSL/ TLS data. The problem is that as these functions are built statically in the DLL and Table 19. DLL for hooking - iexplorer.exe, microsoftedgecp.exe: HttpSendRequestA(), HttpSendRequestW(), InternetWriteFile(), HttpQueryInfoA(), InternetQueryOptionA(), InternetGetCookieA() - wininet.dll - firefox.exe: PR_Write() - nspr4.dll or nss3.dll Figure 16. Hooking various APIs to obtain information 27Report 101 functions are not exported separately, Smoke Loader must find the address of these functions from related binary. Table 20 shows DLL where the hooking target function and the functions are located. To find the function above, the plugin first looks for KTLSProtocolMethod VMT (Virtual Method Table) from the .rdata section, as shown in Figure 17. The method used here is finding the table with size 0x48 from the .rdata section, a table containing 18 functions. Next, it hooks the 9th function, and this is assumed to be function ssl3_write_app_data(). The size of this table and order of ssl3_write_app_ data() can be different for each version of the Chromium-based web browser. Hence, this hooking of Smoke Loader only works normally for specific versions. Table 20. Hooking target function and DLL location - chrome.exe: Presumed to be ssl3_write_app_data() - chrome.dll - opera.exe: Presumed to be ssl3_write_app_data() - opera.dll or opera_browser.dll 28Report 101 Then, when the user connects to a website and sends cookie-related info by using the hooked function above, the hooking function is exposed, and the plugin collects relevant data received as an argument and leaks it to the C&C server. 4.4. FTP, Email Account Info Stealer Information of command used and packet transmitted for stealing FTP and email account credentials is as follows: Table 17. Code related to KTLSProtocolMethod VMT (Virtual Method Table) Table 21. Command and transmitted packet - Command: Not required - Transmitted packet: 10008 (x86) The plugin checks the current process list and injected itself again into the information leakage target process. Targets of information leakage are various web browsers, email clients, and FTP clients, as shown in Table 22. 29Report 101 Table 22. Targets for data breach - Web Browser: firefox.exe, iexplorer.exe, chrome.exe, opera.exe, microsoftedgecp.exe - Email Client: outlook.exe, thebat.exe, thebat32.exe, thebat64.exe, thunderbird.exe, mailmaster.exe, 263em.exe, foxmail.exe, alimail. exe, mailchat.exe - FTP Client: filezilla.exe, smartftp.exe, winscp.exe, flashfxp.exe, cuteftppro.exe When injected into the target process, the plugin hooks send() function and WSASend() function of ws2_32.dll. The hooking function checks the packet that is transmitted when the function is used, and the targets are: ftp (port 21), smtp (port 25, 587, 2525), imap (port 110), and pop3 (port 143) protocols. Figure 18 shows the code that compares and shows each port number. Figure 18. Comparison of port numbers 30Report 101 After that, the plugin checks whether the packet content contains the ‘USER’ and ‘PASS’ string, and these strings are used when logging in from ftp or email-related protocol. This means that the plugin leaks account credentials by hooking send() and WSASend() function, stealing this string when a specific protocol sends the verification-related packet. 4.5. File Leakage Information of command used and packet transmitted for file leakage is as follows: Table 23. Command and transmitted packet - Command: "filesearch_rules" - Transmitted packet: 10009 (x86) The plugin obtains the feature of collecting and compressing files that include strings received as keywords and leaking them to the C&C server. The relevant command could not be received during analysis, but it is known that there are records of receiving keywords such as ‘wallet,’ ‘2fa,’ and ‘backup.’ This means that the plugin targets wallet file, backup file, or verification-related files. Figure 19 shows codes related to the file leakage. Figure 19. File leakage 31Report 101 4.6. DDoS attack Information of command used and packet transmitted for DDoS attack is as follows: DDoS plugin can receive the following commands: The first received command is attack method, and there are eight attack methods (0 to 7) including HTTP GET Flooding, HTTP POST Flooding, SYN Flooding, and UDP Flooding. The second received command is the address of the attack target. - DDoS_rules=6|https://test.com/ Table 17. Command and transmitted packet - Command: 'DDoS_rules' - Transmitted packet: 10010 (x86) Figure 20. Routine of Slowlis DDoS attack 4.7. Keylogger Information of command used and packet transmitted for keylogger attack is as follows: 32Report 101 As aforementioned, the malware received command (Table 25) from the C&C server. This plugin monitors processes and, if the received process is running, executes injection. The injected plugin hooks TranslateMessage() and GetClipboardData(), meaning that it has features of keylogging and clipboard leaking, as shown in Figure 21. Table 24. Command and transmitted packet Table 25. Command received from the C&C server - Command: 'keylog_rules' - Transmitted packet: 10011 (x86) - keylog_rules=iexplore.exe,opera.exe,chrome.exe,firefox.exe Figure 21. Hooking for keylogging and clipboard information leaking 33Report 101 4.8. Hidden TeamViewer Information of command used and packet transmitted for Hidden TeamViewer attack is as follows: The plugin has the feature of installing TeamViewer program secretly, sending ID and password to the C&C server, and allowing the attacker to remotely connect to the infected PC. First, if there is runhtv command, it sends packet 10012 to download TeamViewer. Then as shown in Figure 22, it uses the Hidden Desktop method to execute TeamViewer.exe without showing GUI to the user, and proceeds to inject itself. Table 26. Command and transmitted packet - Command: "runhtv" - Transmitted packet: 10012, 10013 (x86) Figure 22. Hidden execution using Hidden Desktop Injected plugin hooks various functions to fulfill two purposes. One is to make sure the user is not aware. TeamViewer.exe itself was executed with the Hidden Desktop method, but it also hooks functions like CreateProcessW() and 34Report 101 CreateProcessWithTokenW() and edits Desktop name to run child processes with the Hidden Desktop method. It also hooks functions like MessageBoxA(), MessageBoxW(), and DialogBoxParamW() and makes them return 1 to hide related GUI. Figure 23 shows various API hooking routines in codes. The second purpose is to send ID and password at the time of installation to the infected PC to the C&C server. TeamViewer, upon being executed, automatically creates ID and password and displays them on the GUI screen. The one who knows this ID and password can remotely connect to the environment where TeamViewer is installed. TeamViewer shows this on the GUI screen after creating ID and password, Figure 23. Various API hooking routines 35Report 101 Figure 24. Hooking SetWindowsTextW() function to obtain ID and password and the API that is used is function SetWindowsTextW(). This means that, as shown in Figure 24, by hooking the same function, it obtains the string when showing ID and password, and it sends the information to the C&C server to allow attackers to remotely connect to PC using TeamViewer. 4.9. User Mail Data Stealer Information of command used and packet transmitted for stealing user mail data is as follows: Table 27. Command and transmitted packet - Command: Not required - Transmitted packet: 10015 (x86) 36Report 101 This plugin, as shown in Figure 25, leaks data files of user mail, such as .pst and .ost file of outlook. The targets for data breach and the target files are listed in Figure 28. Directories, where the files are saved, are also designated, as shown in Table 29. Table 28. Targets for information leakage - Outlook: .pst, .ost - Thunderbird: .mab, .msf, inbx, sent, template, drafts, archives - The Bat!: .tbb, .tbn, .abd Figure 25. Leaking mail user data Table 29. Directories of target files - Outlook : "%APPDATA%Microsoft\Outlook", "%LOCALAPPDATA%Microsoft\Outlook", "%ALLUSERSPROFILE%\Microsoft\Outlook" - Thunderbird : "%APPDATA%Thunderbird" - The Bat! : "%ALLUSERSPROFILE%\The Bat!", "%APPDATA%\BatMail", "%ALLUSERSPROFILE%\BatMail" 4.10. Fake DNS Information of command used and packet transmitted for Fake DNS attack is as follows: 37Report 101 It performs an injection when the web browser, shown in Table 31, is executed. After the injection, it hooks GetAddrInfoW() function and GetAddrInfoExW() function of ws2_32.dll. When receiving the IP address of a certain URL after calling the functions from the web browser, the hooking function obtains the feature of comparing the IP address to the address received by command and changing it to the address assigned by the attacker. Figure 26 shows codes related to DNS query hooking. Table 30. Command and transmitted packet Table 31. Processes for injection - Command: “fakedns_rules” - Transmitted packet: None - firefox.exe, iexplorer.exe, chrome.exe, opera.exe, microsoftedgecp.exe Figure 26. DNS query hooking 38Report 101 5. Conclusion Since its first appearance in 2011, Smoke Loader is constantly being distributed via exploit kit. As shown in this paper, Smoke Loader uses various plugins to not only leak user information but also download additional ransomware and encrypt the target PC. Furthermore, Smoke Loader enables attackers to utilize the user PC as a DDoS botnet, launch DDoS attacks, and install remote management tool to compromise the target PC. Being infected by Smoke Loader means that the infected PC is exposed to various forms of attacks. Companies and organizations must strive to improve security awareness among all employees, apply the latest security patch to all OS, and come up with effective prevention measures. AhnLab’s anti-malware solution, V3, detects and blocks Smoke Loader malware using the following aliases. [File Detection] - Trojan/Win32.Smokeldr.C4195812 (2020.09.14.04) [Behavior Detection] - Malware/MDP.Inject.M218 [IOC] - Hash: 1fecfbf3b4ad934c79dd4b2b8fedce4d - C&C http://rexstat35x[.]xyz/statweb955/ http://dexspot2x[.]xyz/statweb955/ http://atxspot20x[.]xyz/statweb955/ http://rexspot7x[.]xyz/statweb955/ http://fdmail85[.]club/statweb955/ http://servicem977x[.]xyz/statweb955/ http://advertxman7x[.]xyz/statweb955/ http://starxpush7x[.]xyz/statweb955/ Disclosure to or reproduction for others without the specific written authorization of AhnLab is prohibited. © 2020 AhnLab, Inc. All rights reserved. Contributors ASEC Researchers Editor Content Creatives Team Design Design Team Publisher AhnLab, Inc. Website www.ahnlab.com Email global.info@ahnlab.com Report Vol.101