A malicious downloader malware called Smoke Loader, which sporadically infected victims since 2011, has gotten active this year with a new method to spread the infection to Windows users.
Like most malware, it tricks the victim into downloading a sketchy Microsoft Word document from a spam invoice email with unknown sender, and then prompts the user to enable macros, which allows the downloading of additional malware and equipping itself with five different plugins.
What makes it brand new amongst other malware is its application of PROPagate injection, a technique that was only theorized by researchers not too long ago – this implies that the attackers read about this theory and practiced its malware application.
Basically, PROPagate injection exploits the SetWindowsSubclass function, which is used to install or update active subclass Windows on the system. This subclass process is being abused by modifying the properties of Windows running in the same session. To put simply, hackers can secretly inject code and paste malicious files without the system ever noticing.
Smoke Loader further complicates itself by adding defensive parameters against researchers trying to study the malware through forensics, AV scanning/tracing, and debugging.
Five Deadly Plugins
As mentioned above, Smoke Loader is equipped with five different plugins, all designed to steal sensitive data on its target.
Plugin 1 is the largest with more or less 2000 functions. It mostly steals local directory files.
Plugin 2 parses directory files recursively and stored Outlook data.
Plugin 3 intercepts web browser data and cookies.
Plugin 4 records credentials by monitoring file data and mail data transfer protocols.
Plugin 5 steals a victim’s TeamViewer credentials.
Fighting Against Smoke Loader
Besides the usual security precautions people are expected to practice, it is of essential importance to have a dedicated email security software in place. This is done to make sure the malware stays as a deleted or blocked attachment securely.