SMOKEDHAM

Malware Profile Updated 2 months ago
Download STIX
Preview STIX
Smokedham is a .NET-based malware, characterized as a backdoor that supports commands such as screen capture, keystroke capture, and execution of arbitrary .NET commands. The malware's source code is embedded as an encrypted string within a dropper, which is utilized to infiltrate systems. This dropper was deobfuscated as shown in Figure 7. The communication between Smokedham and its command-and-control (C2) server consists of JSON data exchanged via HTTP POST requests. Notably, the domains lumiahelptipsmscdnqa.microsoft[.]com and max-ghoster1.azureedge[.]net were observed being used for C2 server communication. The threat actor group UNC2465 has been associated with the distribution of Smokedham, employing phishing emails and legitimate services for delivery. Their activities date back to at least April 2019, marked by similar Tactics, Techniques, and Procedures (TTPs) to distribute the PowerShell-based .NET backdoor into victim environments. Once inside a system, Smokedham continuously captures keystrokes and uploads output generated by the PowerShell command to its C2 server through subsequent HTTP POST requests. Smokedham operates based on plaintext command data keywords, including "delay" (to update its sleep interval), "screenshot" (to upload a screen capture to its C2 server), and "exit" (to terminate). If the command data does not begin with any of these keywords, it assumes the data contains a PowerShell command and attempts to execute it. Additionally, the JSON data exchanged between Smokedham and its C2 server contains three fields: ID, UUID, and Data, with ID and UUID serving as unique identifiers for the target system and command output tracking respectively, and Data potentially containing RC4-encrypted, Base64-encoded command data.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Dropper
Downloader
ngrok
Windows
Lateral Move...
Ransomware
Vulnerability
Phishing
Malware
Sandbox
Beacon
Vpn
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
DarkSideUnspecified
1
DarkSide is a notorious threat actor known for its malicious activities involving ransomware attacks. The group gained significant notoriety in 2021 when it attacked the largest oil pipeline in the United States, leading to a temporary halt of all operations for three days. This incident, along with
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2021-20016Unspecified
1
None
Source Document References
Information about the SMOKEDHAM Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Shining a Light on DARKSIDE Ransomware Operations | Blog | Mandiant
MITRE
a year ago
Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise | Mandiant