An updated version of the Smoke Loader malware downloader has been sampled in the wild and was found to contain one of the first successful uses of the PROPagate injection technique uses in an actual attack.
Cisco Talos researchers Ben Baker and Holger Unterbrink said a sample of the new and improved Smoke Loader came in several months ago when it was detected attacking a company by a Cisco security product. The PROPagate technique was first described in October 2017 and uses the SetWindowSubclass API to load malicious code through GUIs.
Other aspects of Smoke Loader remained the same. It spreads through email and uses a Word Document with a malicious macro that the victim is enticed into opening to start the malware download. It is primarily used to deliver ransomware and cryptominers. Additional plugins are available for Smoke Loader that can steal information specifically targeting stored credentials or sensitive information transferred over a browser — including Windows and Team Viewer credentials, email logins, and others, the researchers said.
Smoke Loader has been operating for many months and was behind several high-profile attacks.
On 6 March Microsoft said its Microsoft said Windows Defender Antivirus blocked 80,000 Smoke Loader, aka Dofoil, attacks attempting to deliver currency miner. In total more than 400,000 instances were recorded with that vast majority, 73 percent, hitting Russians with Turkey,18 percent, and the Ukraine 4 percent being the other main targets.