SMOKEDHAM

Smokedham is a .NET-based malware, characterized as a backdoor that supports commands such as screen capture, keystroke capture, and execution of arbitrary .NET commands. The malware's source code is embedded as an encrypted string within a dropper, which is utilized to infiltrate systems. This dropper was deobfuscated as shown in Figure 7. The communication between Smokedham and its command-and-control (C2) server consists of JSON data exchanged via HTTP POST requests. Notably, the domains lumiahelptipsmscdnqa.microsoft[.]com and max-ghoster1.azureedge[.]net were observed being used for C2 server communication. The threat actor group UNC2465 has been associated with the distribution of Smokedham, employing phishing emails and legitimate services for delivery. Their activities date back to at least April 2019, marked by similar Tactics, Techniques, and Procedures (TTPs) to distribute the PowerShell-based .NET backdoor into victim environments. Once inside a system, Smokedham continuously captures keystrokes and uploads output generated by the PowerShell command to its C2 server through subsequent HTTP POST requests. Smokedham operates based on plaintext command data keywords, including "delay" (to update its sleep interval), "screenshot" (to upload a screen capture to its C2 server), and "exit" (to terminate). If the command data does not begin with any of these keywords, it assumes the data contains a PowerShell command and attempts to execute it. Additionally, the JSON data exchanged between Smokedham and its C2 server contains three fields: ID, UUID, and Data, with ID and UUID serving as unique identifiers for the target system and command output tracking respectively, and Data potentially containing RC4-encrypted, Base64-encoded command data.