Security / hacking

Smoke Loader: Old malware reborn

Back in 2011, when the internet still felt new and young and when data breaches were relatively unheard of, cybercriminals developed a tool for distributing malware called Smoke Loader. Back then, Smoke Loader was used to send out seemingly legitimate emails with seemingly legitimate attachments: Word documents or PDF files. Then, when an unsuspecting victim opened the file, Smoke Loader would download and execute additional malware, accomplishing the cybercriminals’ unknown goals.

Since 2011, cybercrime has evolved by leaps and bounds. Today, hackers can take advantage of built-in device vulnerabilities to gain access to otherwise super-secure networks; they can build AI-backed malware capable of morphing to elude discovery and defense; they can sneak malware into apps and onto machines and lurk for years without detection. Yet, researchers have just discovered that despite these notable enhancements to committing cybercrime, hackers just can’t quit Smoke Loader.

What is Smoke Loader doing now?

While the rest of the infosec industry has moved onward and upward, Smoke Loader has largely remained the same: It hides in email-attached Microsoft Word documents and installs malware onto victims’ computers with the intent of stealing login credentials and other valuable data.

Still, the bot has gained some new tricks in the past seven years. For one, it has updated with variations of Windows, so it can still function effectively when installed on the latest devices and operating systems. For another, it has gathered a few other bits and bobs of malware, including the Trickbot Trojan.

Trickbot, like Smoke Loader, is an old malware that targets major bank customers, tricking them into revealing their banking credentials so it can pilfer their hard-earned money. Also like Smoke Loader, Trickbot has gained a few new wiles, including the ability to utilize vulnerabilities in operating systems and other software.

Worse, there is some evidence that Smoke Loader is being used to disseminate cryptomining malware. In March of this year, Microsoft intervened in an attack that would have compromised hundreds of thousands of devices through Smoke Loader, which these researchers call Dofoil. It’s likely that hackers will continue to modify and apply Smoke Loader in the future, which begs the question:

Why is Smoke Loader still in use?

When an industry advances as quickly as tech, offering newer and more powerful methods of completing goals, one can’t help but wonder: Why would black hats bother recycling such an outdated tool when they could develop something better? The truth is that developing any software, but specifically malware, isn’t easy. It is much more time- and energy-efficient to modify an existing app, especially one that has proven itself effective, than to start from scratch. By adding onto Smoke Loader, hackers can focus on improving specific elements of the malware, such as detection avoidance and code obfuscation, thereby increasing their chance of success. Almost all creators behave similarly — refining others’ work instead of inventing something completely new.

How can users protect themselves?

While it is interesting to learn how malware functions, most users are primarily interested in how they can stop all malware and keep their data safe. Fortunately, Smoke Loader is relatively easy to thwart; users only need to practice basic security hygiene to recognize and avoid infection.

Because Smoke Loader sends false emails, users should be wary messages from anyone they don’t recognize and diligent about investigating potential threats. For example, banks likely won’t contact customers over email, requesting confidential information like login credentials or sending sensitive information as an attached Word doc or PDF. Users who receive a communication like this should contact their financial institution using another method, ideally phone or in-person, to verify the scam. Then, users can delete the email and stay safe.

However, other types of malware are more aggressive or more pernicious than Smoke Loader. Users should be equipped with the best internet security programs available, which will monitor potential online threats and prevent actions that could compromise their devices. Often, these tools come with antivirus software, browser add-ons, a robust firewall, phishing filters, parental controls and more to keep malware at bay.

Smoke Loader might not be the highest-tech malware on the market, but even the old methods remain effective against users who can’t or won’t protect themselves against digital threats. Users who invest in security will avoid becoming victims — from Smoke Loader and from any worse malware that comes our way.

Photograph by Pixelcreatures

Share This