SOC Incident Toolkit
Back to Campaigns
Smoke Loader Bill Trap

Smoke Loader Bill Trap

Smoke Loaderwin.smokeloaderUAC-0006DofoilRaccoon

Based on the Ukraine Computer Emergency Response Team (CERT-UA), the SmokeLoader malware is now spreading through a phishing campaign using traps focused on bills. A ZIP folder containing a fake document and a JavaScript file is attached to emails that the agency says were sent from hacked accounts.

Indicators of Compromise

Domains (560)

mail.expertsconsultgh.cotest.novostroi21.ruwww.vouchshow.xyznaturaverdebeauty.comwww.dwkapl.xyzwww.calvellirappresentanze.comwww.hezop.xyzwww.cusmose.comspecialblue.inwww.ascents.infowww.hagfiw.xyzmail.ciscuns.coopwww.brequx.onlinewww.bakecamp.infowww.tugrow.topvinetikett.comwww.bakerous.xyzqleapinnovations.comwww.ziplapse.xyzizmirlist.com+540 more

Hashes (1926)

2781e07822cf8b54406d5785e0e71e3158f4666f56411c5e607385b436a305d2676486db9a832e6981c352938a7bafb538d677257c82e2e4de954f2fb539546141a3b961b8fa0d3e4647af7bb4f12d72be0e24a76de9b42ef0375d75e11f346dab09f8c1b97a30d6c59e8b283a637519f89316a1b582fa12bae88efd86f9a3d53e804ba74f5532c5aa215cf81fca11c3a073d348f60f3d18c4beadec95ec2805e9b31cbecaeef7fa2b359e0ed75f843ee40bae1702a12503d82fdee2a27d89d21d396eb6494394d3dac4c6501d58800998314c6a76211cea5ed0667e98e9b99312d6a40cd6ffb1fa29134a07ba8b2b03a85aa2a5fec77456c64ede908920879f95486eff2ae51686a3c486b633a888ad87bdb79dd740e76152669508b4ac1f722ab2ff1c8c5a6cc44fbb68439dbb395e5cd6451340f8b0443fa9c80e730b303a059128bd4299875cb0dc4433c10d74c9f443ad90f78acc99f2f6faca9e8fb849a94ed916303d2e9b6af762e10f76cc0451ab0974c1c873794c9b08f6b36ec0ddb0b5f6c17dbad0ffca23479735a85d6c83cad40bae0134099323d27b65628b81a4f0af54894e03628054ce4d69a55b29e38b845a80e1fc5b47c56186f769a51bf1035048fd125c1f0915dfba50d58a72979d7209230e2f1fd90c8c66a702512b24a15b73141c803ac5af346b42d47b64b7d12bdbf29890c557608f42511b8b7a09c6fe1f69605c8965a1a24fd1b04bb47352f7e0e8d0450a232941b6aa7164ddd0b080053eaceec839bb4daae36660530ee8b24d7364ebe67d5f28f2f5c799aeb555edb7e392eb7bdf287c4f5795fba56cabbb213f569e8ce04cc462+1906 more

IPv4 (204)

79.137.192.694.140.114.197212.193.30.21194.36.177.60209.94.57.13194.140.114.84208.91.199.225104.168.46.107116.202.6.206138.124.184.20962.204.41.7991.208.197.229199.58.96.49156.96.113.11831.41.244.23780.66.87.1180.66.75.116194.71.227.6279.124.78.20677.91.124.145+184 more

CVEs (3)

CVE-2023-29059CVE-2022-34354CVE-2022-40751

APT Groups

SMOKY SPIDER

TA505

Russian Federation

Mitigation

<div><b><font>Smoke Loader</font></b></div><div><font>Smoke Loader is a malicious bot application that can be used to load other malware. Smoke Loader has been seen in the wild since at least 2011 and has included a number of different payloads. It is notorious for its use of deception and self-protection. It also comes with several plug-ins. [1] [2]</font></div><div><font><br></font></div><div><font><b style=""><font>Associated Software Descriptions</font></b><br></font></div><div><table class="table table-bordered table-alternate mt-2" style="box-sizing: border-box; border-collapse: collapse; width: 1367.25px; margin-bottom: 1rem; color: rgb(33, 37, 41); border: 1px solid rgb(223, 223, 223); empty-cells: hide; font-family: Roboto-Regular, sans-serif; font-size: 16px; margin-top: 0.5rem !important; background-color: rgb(242, 242, 242) !important;"><thead style="box-sizing: border-box;"><tr style="box-sizing: border-box;"><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;"><font color="#262626"><span style="font-size: 14px; font-weight: 400;">Name</span></font></th><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;"><font color="#262626"><span style="font-size: 14px; font-weight: 400;">Description</span></font></th></tr></thead><tbody style="box-sizing: border-box; background: white; color: rgb(57, 67, 76);"><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font color="#262626"><span style="font-size: 14px;">Dofoil</span></font></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><span style="font-size: 14px;"><span id="scite-ref-1-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/" target="_blank" style="box-sizing: border-box; background-color: transparent;">[1]</a></span></span>&nbsp;<span id="scite-ref-2-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/" target="_blank" style="box-sizing: border-box; background-color: transparent;">[2]</a></span></span></span></font></p></td></tr></tbody></table><b><font>Techniques Used</font></b><br></div><div><table class="table techniques-used background table-bordered" style="box-sizing: border-box; border-collapse: collapse; width: 1367.25px; margin-bottom: 1rem; color: rgb(33, 37, 41); border: 1px solid rgb(223, 223, 223); empty-cells: hide; font-family: Roboto-Regular, sans-serif; font-size: 16px;"><thead style="box-sizing: border-box;"><tr style="box-sizing: border-box; border-bottom: 2px solid rgb(222, 226, 230); background: rgb(242, 242, 242);"><th class="p-2" style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">Domain</th><th class="p-2" style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">ID</th><th class="p-2" style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">Name</th><th class="p-2" style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">Use</th></tr></thead><tbody style="box-sizing: border-box;"><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1071</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>:&nbsp;<a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Protocols</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/software/S0226" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Smoke Loader</a>&nbsp;uses HTTP for C2.<span id="scite-ref-1-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[1]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1547" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1547</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1547/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1547" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Boot or Logon Autostart Execution</a>:&nbsp;<a href="https://attack.mitre.org/techniques/T1547/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Registry Run Keys / Startup Folder</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/software/S0226" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Smoke Loader</a>&nbsp;adds a Registry Run key for persistence and adds a script in the Startup folder to deploy the payload.<span id="scite-ref-1-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[1]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1059</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1059/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.005</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>:&nbsp;<a href="https://attack.mitre.org/techniques/T1059/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Visual Basic</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/software/S0226" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Smoke Loader</a>&nbsp;adds a Visual Basic script in the Startup folder to deploy the payload.<span id="scite-ref-1-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[1]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1555" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1555</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1555/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.003</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1555" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Credentials from Password Stores</a>:&nbsp;<a href="https://attack.mitre.org/techniques/T1555/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Credentials from Web Browsers</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/software/S0226" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Smoke Loader</a>&nbsp;searches for credentials stored from web browsers.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html#more" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1140" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1140</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1140" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Deobfuscate/Decode Files or Information</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/software/S0226" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Smoke Loader</a>&nbsp;deobfuscates its code.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html#more" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1114" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1114</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1114/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1114" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Email Collection</a>:&nbsp;<a href="https://attack.mitre.org/techniques/T1114/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Local Email Collection</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/software/S0226" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Smoke Loader</a>&nbsp;searches through Outlook files and directories (e.g., inbox, sent, templates, drafts, archives, etc.).<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html#more" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1083" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1083</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1083" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File and Directory Discovery</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/software/S0226" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Smoke Loader</a>&nbsp;recursively searches through directories for files.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html#more" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1105</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/software/S0226" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Smoke Loader</a>&nbsp;downloads a new version of itself once it has installed. It also downloads additional plugins.<span id="scite-ref-1-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[1]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1027</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/software/S0226" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Smoke Loader</a>&nbsp;uses a simple one-byte XOR method to obfuscate values in the malware.<span id="scite-ref-1-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[1]</a></span></span><span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html#more" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1055" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1055</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1055" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Injection</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/software/S0226" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Smoke Loader</a>&nbsp;injects into the Internet Explorer process.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html#more" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1055/012" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.012</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1055/012" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Hollowing</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/software/S0226" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Smoke Loader</a>&nbsp;spawns a new copy of c:\windows\syswow64\explorer.exe and then replaces the executable code in memory with malware.<span id="scite-ref-1-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[1]</a></span></span><span id="scite-ref-2-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[2]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1053" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1053</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1053/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.005</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1053" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Scheduled Task/Job</a>:&nbsp;<a href="https://attack.mitre.org/techniques/T1053/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Scheduled Task</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/software/S0226" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Smoke Loader</a>&nbsp;launches a scheduled task.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html#more" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1552" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1552</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1552/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1552" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Unsecured Credentials</a>:&nbsp;<a href="https://attack.mitre.org/techniques/T1552/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Credentials In Files</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/software/S0226" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Smoke Loader</a>&nbsp;searches for files named logins.json to parse for credentials.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html#more" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-bottom: 1px solid rgb(223, 223, 223); border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1497" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1497</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1497/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1497" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Virtualization/Sandbox Evasion</a>:&nbsp;<a href="https://attack.mitre.org/techniques/T1497/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Checks</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/software/S0226" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Smoke Loader</a>&nbsp;scans processes to perform anti-VM checks.&nbsp;<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html#more" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span></p></td></tr></tbody></table></div><div><br></div>