Smoky Spider
Description
(IBM) According to 360 NetLab, the (relatively) ancient malware downloader has enjoyed a slow burn on the black market, where malicious actors can pick up a customized copy for $850. While other researchers have identified various aspects of the threat, 360 NetLab took aim at the malware’s admin panel, which offers support for multiple plugins and functions — such as FORM GRAB, BOT LIST, KEYLOGGER and more — designed to help attackers successfully infiltrate targeted devices.
The flexibility of Smoke Loader remains its biggest appeal; it was among the top 10 malware threats detected by Check Point in December 2018. It’s the first time a second-stage downloader has made the list, and may indicate a coming shift in the threat profiles of typical malware attacks.
Smoke Loader has been observed to distribute DoppelPaymer (Doppel Spider), TinyLoader (Tiny Spider), DanaBot (Scully Spider, TA547), BokBot (Lunar Spider), Zeus Panda (Bamboo Spider, TA544) and TrickBot (Wizard Spider, Gold Blackburn).
Names
| Name | Name-Giver |
|---|---|
| Smoky Spider | CrowdStrike |
Country
Motivation
- Financial gain
First Seen
2011
Observed Countries
Tools
Operations
- 2015: Smoke Loader – downloader with a smokescreen still alive https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/
- 2018-04: Smoke Loader malware improves after Microsoft spoils its Campaign https://www.spamhaus.org/news/article/774/smoke-loader-malware-improves-after-microsoft-spoils-its-campaign
- 2018-06: Smoking Guns - Smoke Loader learned new tricks https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html
- 2018-07: The Cylance Threat Research team recently dissected a resurgent form of Smoke Loader. Our investigation uncovered two other samples of malware working with Smoke Loader: a document packed with malicious macros, and Trickbot, a banking Trojan. https://threatvector.cylance.com/en_us/home/threat-spotlight-resurgent-smoke-loader-malware-dissected.html
- 2018-11: Analysis of Smoke Loader in New Tsunami Campaign https://unit42.paloaltonetworks.com/analysis-of-smoke-loader-in-new-tsunami-campaign/
- 2019-04: Proofpoint observed that the malware returned to regular attacks against German and Swiss users in April 2019 after taking a hiatus in 2018. These campaigns helped reveal several new techniques now employed by the banking Trojan. One geographically targeted campaign against Switzerland, for instance, used an Object Linking and Embedding (OLE) package to deliver Smoke Loader. This threat, in turn, downloaded Retefe two hours after infection. https://securityintelligence.com/news/retefe-banking-trojan-returns-with-smoke-loader-as-its-intermediate-loader/
Counter Operations
- 2018-03: Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaign https://www.microsoft.com/security/blog/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/
Information
- https://www.webroot.com/blog/2012/02/03/a-peek-inside-the-smoke-malware-loader/
- https://www.cert.pl/en/news/single/dissecting-smoke-loader/
- https://blog.netlab.360.com/smoke-loader-the-core-files-the-admin-panel-the-plugins-and-the-3rd-party-patch/
- https://securityintelligence.com/news/smoke-loader-botnet-still-active-on-black-market-after-8-years/
Other Information
Uuid
a74110c6-af39-4e20-a9fa-85a90cb44c62
Last Card Change
2020-04-15