The Smoke Loader malware downloader has recently resurfaced and now has been found to download a document containing malicious macros that then down load the Trickbot trojan.
According to a blog post by Cylance, its investigations uncovered two other samples of malware working with Smoke Loader: a document packed with malicious macros, and Trickbot, a banking Trojan.
They said that the initial step of the attack relies on a user opening and activating a document loaded with malicious macros. Once successful, the attack enters phase two, where Smoke Loader downloads and executes. Smoke Loader then downloads and executes the Trickbot banking Trojan.
The attack begins with an attachment posing as an invoice from a legitimate private company. When the file is opened, the reader is presented with an embedded image resembling an invoice and a warning alert.
"In fact, both the invoice and the warning are objects in the same image. The MS Word warning is not actually triggered when the file is opened. The document hides sixteen separate, obfuscated, malicious macros. Enabling macros will cause them to run," said the researchers.
According to researchers, the macros invoke various PowerShell instructions, one which saves a randomly named .BAT file in the %temp% folder. Successful execution of the macros and PowerShell instructions results in Smoke Loader malware being dropped on the target system.
The malware also uses GetShellWindow->GetWindowThreadProcessId->NtOpenProcess to inject itself into processes and propagate. If successful, Smoke Loader will remain undetectable to common iteration processes.
Researchers said that Smoke Loader is primarily used to download other malware and in its tests it downloaded the banking Trojan, Trickbot. It found that while Smoke Loader and Trickbot perform separate functions, both files shared the same structure
Trickbot then attempts to inject itself into the taskeng.exe process and attempts to establish communication with nearly two dozen command-and-control (C2) servers.
Researchers said that Smoke Loader was a well-established, highly configurable, effective malware which is being actively updated by threat groups. "It is a modular malware, meaning it can receive new execution instructions from C2 servers and download additional modules for expanded functionality," they said.
They added that the malware has been actively modified to circumvent and elude specific protective measures as recently as March of 2018.
Chris Boyd, lead malware analyst at Malwarebytes, told SC Media UK that much like Zeus, Smoke Loader is a long lived malware threat that never seems to go out of fashion.
"For all the sophistication present in the malware itself, ultimately, this attack still relies on social engineering and enabling functionality that most people would never need to use," he said. "Organisations shouldn't have macros disabled by default via group policy. Only those with a strict business case for it should have them enabled, and the staff making use of macros should be educated on potential threats."
Jake Moore, security specialist at ESET, told SC Media UK that the threat from cyber-attacks is increasing all the time as cyber-criminals find newer more innovative ways to target organisations and individuals all the time.
"These phishing attacks simply rely on trust and the typical victim believes what they are reading. Manipulation of people is nothing new and has been used by fraudsters for hundreds of years and scammers have now become experts in the field of digital impersonation. Training is imperative, which can even include penetration testing amongst companies. It’s always better to prevent proactively than respond reactively," he said.