Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент Smoke Loader
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
Smoke Loader
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Smoke Loader

Smoke Loader is a malicious bot application that can be used to load other malware. Smoke Loader has been seen in the wild since at least 2011 and has included a number of different payloads. It is notorious for its use of deception and self-protection. It also comes with several plug-ins. (Citation: Malwarebytes SmokeLoader 2016) (Citation: Microsoft Dofoil 2018)
ID: S0226
Associated Software: Dofoil
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 18 Apr 2018
Last Modified: 28 Mar 2020

Associated Software Descriptions
Name Description
Dofoil (Citation: Malwarebytes SmokeLoader 2016) (Citation: Microsoft Dofoil 2018)

Techniques Used
Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Smoke Loader uses HTTP for C2.(Citation: Malwarebytes SmokeLoader 2016)
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Smoke Loader adds a Registry Run key for persistence and adds a script in the Startup folder to deploy the payload.(Citation: Malwarebytes SmokeLoader 2016)
Enterprise T1059 .005 Command and Scripting Interpreter: Visual Basic

Smoke Loader adds a Visual Basic script in the Startup folder to deploy the payload.(Citation: Malwarebytes SmokeLoader 2016)
Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Smoke Loader searches for credentials stored from web browsers.(Citation: Talos Smoke Loader July 2018)
Enterprise T1114 .001 Email Collection: Local Email Collection

Smoke Loader searches through Outlook files and directories (e.g., inbox, sent, templates, drafts, archives, etc.).(Citation: Talos Smoke Loader July 2018)
Enterprise T1055 .012 Process Injection: Process Hollowing

Smoke Loader spawns a new copy of c:\windows\syswow64\explorer.exe and then replaces the executable code in memory with malware.(Citation: Malwarebytes SmokeLoader 2016)(Citation: Microsoft Dofoil 2018)
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Smoke Loader launches a scheduled task.(Citation: Talos Smoke Loader July 2018)
Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

Smoke Loader searches for files named logins.json to parse for credentials.(Citation: Talos Smoke Loader July 2018)
Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

Smoke Loader scans processes to perform anti-VM checks. (Citation: Talos Smoke Loader July 2018)

References

  1. Hasherezade. (2016, September 12). Smoke Loader – downloader with a smokescreen still alive. Retrieved March 20, 2018.
  2. Windows Defender Research. (2018, March 7). Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaign. Retrieved March 20, 2018.
  3. Baker, B., Unterbrink H. (2018, July 03). Smoking Guns - Smoke Loader learned new tricks. Retrieved July 5, 2018.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.