{
	"id": "b6251850-e658-4997-b9c0-1ca6efa0f27e",
	"created_at": "2026-04-06T00:21:14.091504Z",
	"updated_at": "2026-04-10T03:20:56.23104Z",
	"deleted_at": null,
	"sha1_hash": "3f461987beed10d5b36e1a16535a303c839b149e",
	"title": "Smoking Guns - Smoke Loader learned new tricks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 354382,
	"plain_text": "Smoking Guns - Smoke Loader learned new tricks\r\nBy Holger Unterbrink\r\nPublished: 2018-07-03 · Archived: 2026-04-05 14:43:10 UTC\r\nTuesday, July 3, 2018 06:00\r\nOverview\r\nCisco Talos has been tracking a new version of Smoke Loader — a malicious application that can be used to load\r\nother malware — for the past several months following an alert from Cisco Advanced Malware Protection’s\r\n(AMP) Exploit Prevention engine. AMP successfully stopped the malware before it was able to infect the host, but\r\nfurther analysis showed some developments in the Smoke Loader sample resulting from this chain of malware\r\nthat intrigued us. This includes one of the first uses of the PROPagate injection technique in real-world malware.\r\nBesides a report released at the end of last week describing a different RIG Exploit Kit-based campaign, we\r\nhaven’t seen real-world malware using this.\r\nTalos is very familiar with Smoke Loader. For example, it was used as a downloader for a cyberattack that was\r\nlaunched using the official website of Ukraine-based accounting software developer Crystal Finance Millennium\r\n(CFM) in January.\r\nSimilar to many other campaigns, the initial infection vector was an email with a malicious Microsoft Word\r\ndocument attached. The victims were tricked into opening the attachment and enabling the embedded macros.\r\nThis started the malware-downloading chain, down to the final Smoke Loader infection and its plugins.\r\nSmoke Loader is primarily used as a downloader to drop and execute additional malware like ransomware or\r\ncryptocurrency miners. Actors using Smoke Loader botnets have posted on malware forums attempting to sell\r\nthird-party payload installs. This sample of Smoke Loader did not transfer any additional executables, suggesting\r\nthat it may not be as popular as it once was, or it’s only being used for private purposes.\r\nThe plugins are all designed to steal sensitive information from the victim, specifically targeting stored credentials\r\nor sensitive information transferred over a browser — including Windows and Team Viewer credentials, email\r\nlogins, and others.\r\nTechnical details\r\nInfection Chain\r\nAs mentioned above, the infection chain started with an email and an attached malicious Word document\r\n(b98abdbdb85655c64617bb6515df23062ec184fe88d2d6a898b998276a906ebc). You can see the content of this\r\nemail below.\r\nhttps://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html\r\nPage 1 of 10\n\nFig. 1 - Phishing Email\r\nThe attached Word document had an embedded macro that initiated the second stage and downloaded the Trickbot\r\nmalware. (0be63a01e2510d161ba9d11e327a55e82dcb5ea07ca1488096dac3e9d4733d41).\r\nhttps://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html\r\nPage 2 of 10\n\nFig. 2 - Email attachment: IO08784413.doc\r\nThis document downloads and executes the Trickbot malware from hxxp://5[.]149[.]253[.]100/sg3.exe, or\r\nhxxp://185[.]117[.]88[.]96/sg3.exe as %TEMP%\\[a-zA-Z]{6-9}.exe. These URLs have served up multiple\r\nmalicious executables in the past, including samples of Trickbot.\r\nIn our Trickbot cases, the malware finally downloaded the Smoke Loader trojan\r\n(b65806521aa662bff2c655c8a7a3b6c8e598d709e35f3390df880a70c3fded40), which installed five additional\r\nSmoke Loader plugins. We are describing these plugins in detail later in the plugins section of this report.\r\nTrickbot (0be63a01e2510d161ba9d11e327a55e82dcb5ea07ca1488096dac3e9d4733d41)\r\nhttps://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html\r\nPage 3 of 10\n\nSmoke Loader has often dropped Trickbot as a payload. This sample flips the script, with our telemetry showing\nthis Trickbot sample dropping Smoke Loader. This is likely an example of malware-as-a-service, with botnet\noperators charging money to install third-party malware on infected computers. We haven’t analysed the Trickbot\nsample further, but for your reference, we are providing the Trickbot configuration here (IP addresses redacted\nwith bracketed dots for security reasons.):\n1000167wrm13185[.]174[.]173[.]34:443162[.]247[.]155[.]114:443185[.]174[.]173[.]116:443185[.]174[.]173[.]241:44362[.]109[.]26[.]121:443185[.]68[.]93[.]27:443137[.]74[.]151[.]148:443185[.]223[.]95[.]66:44385[.]143[.]221[.]60:443195[.]123[.]216[.]115:44394[.]103[.]82[.]216:443185[.]20[.]187[.]13:443185[.]242[.]179[.]118:44362[.]109[.]26[.]208:443213[.]183[.]51[.]54:44362[.]109[.]24[.]176:44362[.]109[.]27[.]196:443185[.]174[.]174[.]156:44337[.]230[.]112[.]146:443185[.]174[.]174[.]72:443 Smoke Loader packer/injector details\nMalware frequently iterates through process lists to find a process to inject. Security researchers know this process\nwell and have created many tools to track the Windows APIs used in this technique, like\nCreateToolhelp32Snapshot. This Smoke Loader sample avoids iterating through process lists by calling the\nWindows API GetShellWindow to get a handle to the shell’s desktop window, then calling\nGetWindowThreadProcessId to get the process ID of Explorer.exe.\nhttps://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html\nPage 4 of 10\n\nSmoke Loader then uses standard injection API to create and write two memory sections in Explorer, one for\r\nshellcode and another for a UxSubclassInfo structure to be used later for PROPagate injection.\r\nGetShellWindow -\u003e GetWindowThreadProcessId -\u003e NtOpenProcess -\u003e NtCreateSection -\u003e NtMapViewOfSection\r\nx2 -\u003e NtUnmapViewOfSection\r\nThe window handle retrieved from the previous call to GetShellWindow has a second purpose. Smoke Loader\r\nuses EnumChildWindows to iterate through each of the handle’s child windows to find one containing the\r\nproperty UxSubclassInfo, which indicates it is vulnerable to PROPagate injection.\r\nPROPagate injection was first described by a security researcher in late 2017, though there were no public POCs\r\navailable when Smoke Loader started using it. The Smoke Loader developers likely used publicly available notes\r\non PROPagate to recreate the technique.\r\nhttps://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html\r\nPage 5 of 10\n\nFig. 3 - PROPagate Injection\r\nFor each child window, the injector calls EnumPropsA to iterate through window properties until it finds\r\nUxSubclassInfo. This function also showcases some of the anti-analysis techniques employed by this sample’s\r\npacker. There are several unnecessary jumps for control flow obfuscation, including simple opaque predicates\r\nleading to junk code.\r\n“Deobf_next_chunk” takes arguments for size and offset for the next chunk of code to deobfuscate and execute, so\r\nthe bulk of the malicious code is deobfuscated as needed, and can be obfuscated again once the next chunk is\r\nloaded. The obfuscation method is a simple one-byte XOR with the same hardcoded value for every piece.\r\nThese anti-analysis techniques are accompanied by anti-debugging and anti-VM checks, as well as threads\r\ndedicated to scanning for processes and windows belonging to analysis tools. These features complicate forensics,\r\nruntime AV scanners, tracing, and debugging.\r\nFig. 4 - Trigger malicious event handler via WM_NOTIFY and WM_PAINT\r\nOnce the shellcode and UxSubclassInfo data are written to the remote process, the injector calls SetPropA to\r\nupdate the property for the window, then sends WM_NOTIFY and WM_PAINT messages to the target window to\r\nforce it to trigger the malicious event handler that executes the injected shellcode.\r\nInjected shellcode: Smoke Loader\r\nhttps://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html\r\nPage 6 of 10\n\nSmoke Loader received five interesting plugins instead of additional payloads. Each plugin was given its own\r\nExplorer.exe process to execute in, and the malware used older techniques to inject each plugin into these\r\nprocesses. Each Explorer.exe process is created with the option CREATE_SUSPENDED, the shellcode is injected,\r\nthen executed using ResumeThread. This is noisy and leaves six Explorer.exe processes running on the infected\r\nmachine.\r\nPlugins\r\nAs mentioned above, the plugins are all designed to steal sensitive information from the victim, explicitly\r\ntargeting stored credentials or sensitive information transferred over a browser. Each plugin uses the mutex\r\n\"opera_shared_counter\" to ensure multiple plugins don’t inject code into the same process at the same time.\r\nPlugin 1:\r\nThis is the largest plugin with approximately 2,000 functions. It contains a statically linked SQLite library for\r\nreading local database files.\r\nIt targets stored info for Firefox, Internet Explorer, Chrome, Opera, QQ Browser, Outlook, and\r\nThunderbird.\r\nRecursively searches for files named logins.json which it parses for hostname, encryptedUsername, and\r\nencryptedPassword.\r\nvaultcli.dll - Windows Credential Manager\r\nPOP3, SMTP, IMAP Credentials\r\nPlugin 2:\r\nThis plugin recursively searches through directories looking for files to parse and exfiltrate.\r\nOutlook\r\n*.pst\r\n*.ost\r\nThunderbird\r\n*.mab\r\n*.msf\r\ninbox\r\nsent\r\ntemplates\r\ndrafts\r\narchives\r\nThe Bat!\r\n*.tbb\r\n*.tbn\r\n*.abd\r\nPlugin 3:\r\nhttps://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html\r\nPage 7 of 10\n\nThis one injects into browsers to intercept credentials and cookies as they are transferred over HTTP and HTTPS.\r\nIf \"fgclearcookies\" is set, kills browser processes and deletes cookies.\r\niexplore.exe and microsoftedgecp.exe\r\nHttpSendRequestA\r\nHttpSendRequestW\r\nInternetWriteFile\r\nfirefox.exe\r\nPR_Write in nspr4.dll or nss3.dll\r\nchrome.exe\r\nunknown function inside chrome.dll\r\nopera.exe\r\nunknown function inside opera_browser.dll or opera.dll\r\nPlugin 4:\r\nThis hooks ws2_32!send and ws2_32!WSASend to attempt to steal credentials for ftp, smtp, pop3, and imap\r\nPlugin 5:\r\nThis one injects code into TeamViewer.exe to steal credentials\r\nIOC\r\nB98abdbdb85655c64617bb6515df23062ec184fe88d2d6a898b998276a906ebc (IO08784413.doc)\r\n0be63a01e2510d161ba9d11e327a55e82dcb5ea07ca1488096dac3e9d4733d41 (Trickbot)\r\nb65806521aa662bff2c655c8a7a3b6c8e598d709e35f3390df880a70c3fded40 (Smoke Loader)\r\nMutex: opera_shared_counter\r\nTrickbot IPs:\r\n185[.]174[.]173[.]34\r\n162[.]247[.]155[.]114\r\n185[.]174[.]173[.]116\r\n185[.]174[.]173[.]241\r\n62[.]109[.]26[.]121\r\n185[.]68[.]93[.]27\r\n137[.]74[.]151[.]148\r\n185[.]223[.]95[.]66\r\n85[.]143[.]221[.]60\r\n195[.]123[.]216[.]115\r\n94[.]103[.]82[.]216\r\n185[.]20[.]187[.]13\r\n185[.]242[.]179[.]118\r\n62[.]109[.]26[.]208\r\nhttps://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html\r\nPage 8 of 10\n\n213[.]183[.]51[.]54\r\n62[.]109[.]24[.]176\r\n62[.]109[.]27[.]196\r\n185[.]174[.]174[.]156\r\n37[.]230[.]112[.]146\r\n185[.]174[.]174[.]72\r\nSmoke Loader domains:\r\nukcompany[.]me\r\nukcompany[.]pw\r\nukcompany[.]top\r\nDropped File: %appdata%\\Microsoft\\Windows\\[a-z]{8}\\[a-z]{8}.exe\r\nScheduled Task: Opera scheduled Autoupdate [0-9]{1-10}\r\nConclusion\r\nWe have seen that the trojan and botnet market is constantly undergoing changes. The players are continuously\r\nimproving their quality and techniques. They modify these techniques on an ongoing basis to enhance their\r\ncapabilities to bypass security tools. This clearly shows how important it is to make sure all our systems are up to\r\ndate. Organizations can utilize a multi-layered defensive approach to detect and protect against these kinds of\r\nthreats. Talos continues to monitor these campaigns as they evolve to ensure that defenses protect our customers.\r\nWe strongly encourage users and organizations to follow recommended security practices, such as installing\r\nsecurity patches as they become available, exercising caution when receiving messages from unknown third\r\nparties, and ensuring that a robust offline backup solution is in place. These practices will help reduce the threat of\r\na compromise and should aid in the recovery of any such attack.\r\nCoverage\r\nAdditional ways our customers can detect and block this threat are listed below.\r\nhttps://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html\r\nPage 9 of 10\n\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors.\r\nCWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as NGFW, NGIPS, and Meraki MX can detect malicious activity associated\r\nwith this threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nSource: https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html\r\nhttps://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html"
	],
	"report_names": [
		"smoking-guns-smoke-loader-learned-new.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434874,
	"ts_updated_at": 1775791256,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3f461987beed10d5b36e1a16535a303c839b149e.pdf",
		"text": "https://archive.orkl.eu/3f461987beed10d5b36e1a16535a303c839b149e.txt",
		"img": "https://archive.orkl.eu/3f461987beed10d5b36e1a16535a303c839b149e.jpg"
	}
}