1/18
HTML Application files are being used to distribute
Smoke Loader malware
securitynews.sonicwall.com/xmlpost/html-application-hta-files-are-being-used-to-distribute-smoke-loader-malware/
June 21, 2022
Threat actor always targets under the radar file types to deliver malware to the victim’s
machine. HTML Applications (HTA) files are known as less suspicious file types by various
security providers. SonicWall Capture Labs Threat Research team has observed an HTA
file inside an archive is being delivered to the victim’s machine, which further downloads
and executes Smoke Loader malware.
Infection Cycle:
The archive file name is in German “Zahlungserinnerung-BV-Green-Golfm.zip” acted as a
payment reminder for the victim. The HTA file has HTML code to display service estimation
by “LM Classic Cars” for Ferrari 348 TB for an Autria customer, additionally it includes
JavaScript code to download malware using PowerShell script:
The JavaScript code executes the PowerShell executable which further executes another
instance of the PowerShell executable using Command Prompt:
https://securitynews.sonicwall.com/xmlpost/html-application-hta-files-are-being-used-to-distribute-smoke-loader-malware/
https://securitynews.sonicwall.com/wp-content/uploads/2022/06/HTA_Message.jpg
2/18
The PowerShell script contains code to perform below actions on MS Office files:
Enables all macros
Disable protected view for files belongs to internet zone
Disable protected view for attachments opened in Outlook
Disable protected view for files in unsafe locations
The PowerShell downloads malware from URL h[t][t]p://www.trimm.at/error/upx.exe
The Smoke Loader malware works in multi stages and layers. It uses code obfuscation, anti
debugging, anti VM and Living of The Land techniques. The malware makes sure that a
memory dump should not expose its intention at any point of time.
https://securitynews.sonicwall.com/wp-content/uploads/2022/06/JavaScript.jpg
https://securitynews.sonicwall.com/wp-content/uploads/2022/06/PSScript.jpg
3/18
First Stage Executable
The first stage executable is highly obfuscated, it contains large loops with garbage API
calls followed by a conditional jump. The malware uses opaque predicate technique as
control never goes to garbage API calls, they are just kept to make analysis difficult. In a
long iterations loop, only few operations are actually required by the malware which are
executed on a particular iteration. The below iteration loop is intended to calculate the
encrypted bytes size at 0x40Ath iteration:
The malware decrypts the shellcode into memory which further brings second stage
executable:
https://securitynews.sonicwall.com/wp-content/uploads/2022/06/GarbageAPICalls.jpg
4/18
The shellcode uses PEB_LDR_DATA from Process Environment Block, iterates through
InLoadOrderModuleList to get the API addresses. The shellcode decrypts next stage
executable in memory and does process hollowing to replace current process from the
address space and starts execution of new process from entry point:
https://securitynews.sonicwall.com/wp-content/uploads/2022/06/Decryption_loop.jpg
5/18
Second Stage Executable:
Second stage executable code is full of techniques used to investigate the controlled
environment execution.
Anti-Debug
Checking the BeingDebugged and NtGlobalFlag in Process Environment Block is common
across the malware. Here the tricky part is, instead of branching the code based on the flag
values, the malware uses the flag values to compute a jump offset. If the malware is running
inside a debugger then it will compute a invalid address which makes an impression of
corrupted file to the researcher:
https://securitynews.sonicwall.com/wp-content/uploads/2022/06/2ndStageExecutable.jpg
6/18
https://securitynews.sonicwall.com/wp-content/uploads/2022/06/IsBeingDebugged.jpg
https://securitynews.sonicwall.com/wp-content/uploads/2022/06/NtGlobalFlags.jpg
+ OFBS48 O2
vEB 05
cc
ED
1ADS
eth
* B3C1 O1
~EB OC
CE
De
27
56
a7
85
+ BSCea
EB 05
“ER FB
‘EB OD
» BS 412 Fr0000
~wEB O85
. D4 4F
“ER OFS
E4
‘EB O1
. 43
+ EVEL
.vEB O5
CBS DBLADS
Ft he
+ 01D8
wv 74 05
w?S O38
SF
~ BL BC
+ 50
+ C3
OFBe46é 66
wEB O1
83
40
~ TE OB
75
o€
AB
Lind
- aE
=o BF a2
- 68 DLZEO000
-w?5S 04
-~ 74 O02
- DECS
> SBoOCz4
- 83C4 04
-vEB O1
70
>» FIEL
-vEB O5
cc
DF
os
- D6
ee
> O1D8
-~EB O02
8B
=e
> FFEO
MOVZX ECH, BYTE PIR DS: [EAX+2]
UMP SHORT bdedbébc 00403044
INTS
DE ED
SBE DL, DH
STC
ADD ECX,1
UMP SHORT bdedbébc. 004030565
DB CE
A
a
met
tf ff
~1 0
j=
oo
Ob io hy El
rr
J
is
in
MOV EAX, ECH
JUMP SHORT bdeObébc.0040305E
DB AC
DB B2
JUMP SHORT bdedbébc 00403055
LAHF
JUMP SHORT bdedbébc.0040306D
Lo
DE
DB
MOV ECK, 2F41
JUMP SHORT bdeObébc 00403070
BAM 4F
JMP SHORT bdeObébc.00403064
ne ora
me oo
ae
Ino
c
t
JMP SHORT bdeObébc_00403073
INC EBX
MUL ECK
JMP SHORT bdeObébc_o040307C
ENTER 1ADB, ob
STC
ADD EAX, EBX
JE SHORT bdeObébc_o0403085
JNZ SHORT bdeObébc. 00403085
LAHF
MOV CL, OFC
BUSH EAX
RETN
MOV BH, 12
BUSH ZED1
JNZ SHORT bdeObébc_00402F686
JE SHORT bdeObébc_00402 F686
FADDP ST(5),5T
MOV ECK, DWORD PTR SS- [ESP]
ADD ESD, 4
JMP SHORT bdeObébc_00402F6F
MUL ECE
UMP SHORT bdeObébe.O0402F78
ADD EAX, EBX
UMP SHORT bdeObébe.O0402F7E
DB 8B
INC EBP
UMP EAX
BeingDebugged
CHAR "G'
Adding imagebasze
NtGlobalFlag
Increasing NtGlobalFlag value
CHAR "u'
Stack push
Stack pop
CHAR 'p'
Computing jump offset
Adding Imagebase
Adding into BeingDebugged Value
Computing jump offset
6/18
7/18
On-Demand Decryption
The malware decrypts the code on demand just before executing it and once the code is
executed, the malware encrypts it back. The malware does this, to prevent its complete
code exposure in one shot:
Loaded module
The malware checks for below modules in the current process, if any of them is loaded
malware terminates the execution.
sbiedll (Sandboxie module)
aswhook (Avast module)
snxhk (Avast module)
Virtual Environment
https://securitynews.sonicwall.com/wp-content/uploads/2022/06/OnDemandDecryption.jpg
https://securitynews.sonicwall.com/wp-content/uploads/2022/06/GetModule.jpg
8/18
The malware examines registry values
“\REGISTRY\MACHINE\System\CurrentControlSet\Enum\IDE” and
“\REGISTRY\MACHINE\System\CurrentControlSet\Enum\SCSI” for below substrings to
check for virtual environment.
qemu
virtio
vmware
vbox
xen
The malware enumerates through all the running processes and looks for below processes.
If any of the process is found the malware terminates the execution. The malware shows
laziness in the code here, instead of dynamic size for individual process name, the malware
keeps the size to 0x20 bytes for all the process names:
qemu-ga.exe
qga.exe
windanr.exe
vboxservice.exe
vboxtray.exe
vmtoolsd.exe
prl_tools.exe
https://securitynews.sonicwall.com/wp-content/uploads/2022/06/Registry1.jpg
9/18
The malware looks for below 7 bytes substrings of filenames into victim’s machine. If any of
them is found the malware terminates the execution:
vmci.s
vmusbm
vmmous
vm3dmp
vmrawd
vmmemc
vboxgu
vboxsf
vboxmo
vboxvi
vboxdi
vioser
https://securitynews.sonicwall.com/wp-content/uploads/2022/06/RunningProcesses.jpg
10/18
Code Injection
The malware gets the explorer.exe process id using APIs GetShellWindow
and GetWindowThreadProcessId:
The malware creates and maps two sections in explorer.exe, one section
has PAGE_READWRITE access attributes to store data and second section
has PAGE_EXECUTE_READ access attributes to inject shellcode. Not enabling
WRITE access to the shellcode memory makes the debugging little more difficult as this will
prevent from putting software breakpoints and modifying code as per researcher’s need:
https://securitynews.sonicwall.com/wp-content/uploads/2022/06/FilesInSystem.jpg
https://securitynews.sonicwall.com/wp-content/uploads/2022/06/ProcessID.jpg
11/18
The malware injects shellcode into the mapped section and does NtCreateThreadEx
passing data section address as parameter:
ShellCode Execution:
The Injected shellcode into explorer.exe spawns two sub-threads which keep an eye on
monitoring tools. If the researcher opens any of the monitoring tool or analysis tool that will
be immediately terminated by the sub-threads while the main thread doing its job.
Thread 1
This thread enumerates through all running processes, computes hash of the running
process name and compares it with its list of hashes to terminate below processes:
https://securitynews.sonicwall.com/wp-content/uploads/2022/06/CreateSection.jpg
https://securitynews.sonicwall.com/wp-content/uploads/2022/06/injectshellcode.jpg
12/18
56DAB1A9 → Autoruns.exe
F3E35F5E → procexp.exe
2407724B → procexp64.exe
FBC25850 → procmon.exe
27151A96 → procmon64.exe
E6ED4551 → Tcpview.exe
27D7E006 → Wireshark.exe
2CEB6C62 → ProcessHacker.exe
EDCD7F5E → ollydbg.exe
70A30042 → x32dbg.exe
4EA30D45 → x64dbg.exe
0CCD4A10 → idaq.exe
0CCD4C3A → idaw.exe
0956AD95 → idaq64.exe
337CAD95 → idaw64.exe
Thread 2
The malware enumerates through windows, computes hash value of windows name and
compares it to terminate processes attached with below windows list:
61C75CDC → Autoruns
4DFA76EB → PROCEXPL
95E8B472 → PROCMON_WINDOW_CLASS
62DC4674 → TCPViewClass
https://securitynews.sonicwall.com/wp-content/uploads/2022/06/EnumrateProcess.jpg
13/18
6A0FAA84 → Wireshark
7FF991A1 → ProcessHacker
BEDA6295 → OLLYDBG
62DD69FD → IDA
Main Thread
The main thread starts with Process Environment Block (PEB) traversal, to get
ImageBase of ntdll.dll and kernel32.dll. The malware then enumerates the export functions
to get the the addresses of required APIs. Instead of direct API names the malware keeps
the hash values list, which is being compared to the hash value of the exported function
name:
https://securitynews.sonicwall.com/wp-content/uploads/2022/06/EnumWindows.jpg
14/18
The malware keeps list of RC4 encrypted strings in a structure, in which first bytes tells the
string size followed by encrypted string. The malware perform RC4 decryptions just before
using them:
The malware computes a unique identifier for the victim’s machine using below formula:
https://securitynews.sonicwall.com/wp-content/uploads/2022/06/PEB.jpg
https://securitynews.sonicwall.com/wp-content/uploads/2022/06/RC4.jpg
15/18
MD5(computer name + hardcoded DWORD value + system drive serial number) +
system drive serial number
The malware creates mutex with the unique identifier to restrict execution of another
instance of the shellcode and if another instance is already running malware terminates its
execution:
The malware reads Internet Explorer version information from registry and gets user agent
string for it:
https://securitynews.sonicwall.com/wp-content/uploads/2022/06/UniqueID.jpg
16/18
The malware drops self copy into %APPDATA% directory and the file name is computed by
encoding initial 7 bytes from the unique identifier:
The malware deletes the current instance of the malware and it deletes zone identifier from
the self copy dropped in %APPDATA%:
The malware sets dropped file property as FILE_ATTRIBUTE_HIDDEN
and FILE_ATTRIBUTE_SYSTEM. The malware steals creation time from advapi32.dll and
mark the same creation time for the dropped file to avoid being red flagged from any of the
security providers.
C&C Communication
The malware contains 4 C&C servers:
ostgotahusbilsuthynring.de
autoland-ls.de
autogalerieseud.de
https://securitynews.sonicwall.com/wp-content/uploads/2022/06/useragent.jpg
https://securitynews.sonicwall.com/wp-content/uploads/2022/06/appdata_file_drop.jpg
https://securitynews.sonicwall.com/wp-content/uploads/2022/06/ZoneIdentifier.jpg
17/18
autohuas-e-c.de
The malware calculate CRC32 checksum for one of the C&C server before communicating,
to make sure that the C&C has not been modified by the researcher and if the C&C is
modified malware terminates the execution. The malware prepares post data which
includes the variant id, unique identifier for the victim’s machine, computer name and
random 0xA1 bytes. The data is then encrypted by RC4 algorithm and sent to its C&C
server:
https://securitynews.sonicwall.com/wp-content/uploads/2022/06/CCFiddler.jpg
https://securitynews.sonicwall.com/wp-content/uploads/2022/06/PostDataBeforeEncryption.jpg
18/18
At the time of analysis all 4 C&C server were not responding but digging deep into the
malware code reveals that malware is expecting response from C&C server which should
contain Variant ID (0x7E6), Plugin size and plugin modules.
Unavailability of the archive file in any of the popular threat intelligence sharing portals like
the VirusTotal and the ReversingLabs indicates its uniqueness and limited distribution:
Evidence of detection by RTDMI ™ engine can be seen below in the Capture ATP report for
this file:
https://securitynews.sonicwall.com/wp-content/uploads/2022/06/VT-1.jpg
https://securitynews.sonicwall.com/wp-content/uploads/2022/06/Capture.jpg