Smokeloader

Malware updated 5 hours ago (2024-11-21T10:32:00.727Z)

Download STIX

Preview STIX

SmokeLoader is a malicious software (malware) that acts as a loader for other malware, injecting malicious code into the currently running explorer process and downloading additional payloads to the system. It has been used in conjunction with Phobos ransomware by threat actors who exploit its functionality to download the Phobos payload and exfiltrate data from compromised systems. These actors often embed the ransomware as a hidden payload using SmokeLoader, which can be delivered through suspicious downloads, emails, or websites. The threat actors also use SmokeLoader to inject code into running processes, identifying an entry point through enabling a VirtualAlloc or VirtualProtect process. Alternatively, they send spoofed email attachments embedded with hidden payloads such as SmokeLoader. Between May 27 and 29, 2024, an international law enforcement operation coordinated by Europol, codenamed Operation Endgame, targeted malware droppers like SmokeLoader. This operation resulted in the dismantling of dropper botnet infrastructure that supported initial-access Trojan malware strains, including IcedID, SystemBC, Pikabot, SmokeLoader, Bumblebee, and Trickbot. Eight Russian nationals, including Airat Gruber, the suspected admin of SmokeLoader, were added to the list of Europe's most wanted fugitives for their roles behind developing these botnets. In addition to SmokeLoader, Phobos intrusions have involved the use of various open-source tools, including Cobalt Strike and Bloodhound. The government reported at least two massive campaigns since May 20, where threat actors aimed at distributing SmokeLoader malware via email. The malware used in these campaigns includes information stealers such as Mystic Stealer, Rise Pro, and Redline; and loaders such as SmokeLoader and Amadey. As a result of these activities, CERT-UA issued a warning about an increase in cyberattacks targeting Ukrainian finances with SmokeLoader malware.

Description last updated: 2024-11-21T10:26:22.055Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Pikabot is a possible alias for Smokeloader. Pikabot is a type of malware that serves as a trojan, providing initial access to infected computers. This enables the execution of ransomware deployments, remote takeovers, and data theft. It is part of a wider array of malicious software, including IcedID, Qakbot, Gozi, DarkGate, AsyncRAT, JinxLoa	2
Gozi Isfb is a possible alias for Smokeloader. Gozi ISFB, also known as Ursnif and Dreambot, is a malicious software (malware) that has been actively developed and distributed worldwide. This malware is designed to exploit computer systems, primarily targeting the banking and financial sectors by stealing passwords and credentials from victims.	2
IcedID is a possible alias for Smokeloader. IcedID is a malicious software (malware) that has been implicated in numerous cybercrime campaigns. It has been associated with other notable malware such as Qakbot, BazarLoader, CobaltStrike, Conti, Gozi, Trickbot, Quantum, Emotet, Pikabot, and SystemBC. Its distribution often involves the use of d	2
Privateloader is a possible alias for Smokeloader. PrivateLoader is a notable malware that has been active since at least December 19, 2022. It acts as the first step in many malware schemes, often initiating an infection chain that leads to other malicious software. The malware can infiltrate systems through suspicious downloads, emails, or website	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Ransomware

Payload

Phishing

Botnet

Loader

Remcos

Windows

Dropper

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Phobos Malware is associated with Smokeloader. Phobos is a form of malware, specifically ransomware, that has been active since May 2019. The operation utilizes a ransomware-as-a-service (RaaS) model and is responsible for numerous cyber attacks worldwide. Threat actors behind Phobos gained initial access to vulnerable networks through phishing	Unspecified	5
The TrickBot Malware is associated with Smokeloader. TrickBot is a notorious malware developed by cybercriminals to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. This malicious software can steal personal information, disrupt operations, or even hold data hostage for ransom. Vladimir Dunaev,	Unspecified	3
The Redline Stealer Malware is associated with Smokeloader. The RedLine Stealer is a formidable malware that specializes in stealthily stealing credentials and sensitive information. First documented in 2020, it has since evolved to use the Windows Communication Foundation (WCF) framework and later a REST API for network communication. This malware infects s	Unspecified	3
The Amadey Malware is associated with Smokeloader. Amadey is a malicious software (malware) that has been known since 2018 and is notorious for stealing credentials from popular browsers and various Virtual Network Computing (VNC) systems. The malware, which is often sold in underground forums, uses sophisticated techniques to infect systems, includ	Unspecified	3
The Systembc Malware is associated with Smokeloader. SystemBC is a type of malware, or malicious software, known for its disruptive and exploitative nature. It infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user. Once embedded, it can steal personal information, interrupt operations, or hold data hostage f	Unspecified	3
The Zloader Malware is associated with Smokeloader. ZLoader is a form of malware, or malicious software, that is designed to exploit and damage computer systems. This harmful program can infiltrate a device through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it has the potential to steal personal inform	Unspecified	2
The Bumblebee Malware is associated with Smokeloader. Bumblebee is a type of malware that has been linked to ITG23, a cyber threat group. Over the past year, it has been used in conjunction with other initial access malwares such as Emotet, IcedID, Qakbot, and Gozi during ITG23 attacks. The same values for self-signed certificates seen in Bumblebee hav	Unspecified	2
The Venomrat Malware is associated with Smokeloader. VenomRAT is a sophisticated piece of malware that was discovered by security researchers, designed to exploit and damage computer systems. The malicious software infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal	Unspecified	2
The Scrubcrypt Malware is associated with Smokeloader. ScrubCrypt is a sophisticated malware that has been used as a delivery mechanism for other malicious software, notably VenomRAT. The malware operates by exploiting systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside the system, ScrubCrypt can disrupt	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The 8base Threat Actor is associated with Smokeloader. 8base, a significant threat actor in the cybersecurity landscape, has been active between April 2022 and May 2023. This group, while not new, has recently increased its visibility with the activation of a public leak site used to pressure victims into paying ransoms. In the last month alone, 8base o	Unspecified	3

Source Document References

Information about the Smokeloader Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	8 hours ago	Phobos Ransomware admin faces cybercrime charges
Securityaffairs	a month ago	Experts warn of a new wave of Bumblebee malware attacks
Securityaffairs	3 months ago	CERT-UA warns of a phishing campaign targeting government entities
Securityaffairs	4 months ago	Security Affairs newsletter Round 480 by Pierluigi Paganini – INTERNATIONAL EDITION
DARKReading	5 months ago	Multi-Malware 'Cluster Bomb' Campaign Drops Widespread Cyber Havoc
DARKReading	6 months ago	Europol's Hunt Begins for Emotet Malware Mastermind
Securityaffairs	6 months ago	Security Affairs newsletter Round 474 by Pierluigi Paganini – INTERNATIONAL EDITION
BankInfoSecurity	6 months ago	European Police Take Down Botnet Servers, Make Arrests
Securityaffairs	6 months ago	Operation Endgame, the largest law enforcement operation ever against botnets
Securityaffairs	6 months ago	CERT-UA warns of malware campaign conducted by threat actor UAC-0006
Flashpoint	6 months ago	Evolving Tactics: How Russian APT Groups Are Shaping Cyber Threats in 2024
ESET	8 months ago	Rescoms rides waves of AceCryptor spam
CERT-EU	8 months ago	Threat actors are turning to novel malware as malicious attacks rise
CERT-EU	8 months ago	Phobos Unleashed: Navigating the Maze of Ransomware’s Ever-Evolving Threat
BankInfoSecurity	a year ago	New Ransomware Actor 8Base Rivals LockBit in Extortion
CERT-EU	9 months ago	CISA & FBI Releases TTPs & IOCs Used by Phobos Ransomware Group \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	9 months ago	CISA Warns Phobos Ransomware Groups Attacking Critical Infrastructure \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	9 months ago	Ongoing Phobos ransomware threat prompts federal warning
Securityaffairs	9 months ago	US cyber and law enforcement agencies warn of Phobos ransomware attacks
CERT-EU	9 months ago	SafeBreach Coverage for AA24-060A (Phobos Ransomware) and AA24-060B (Ivanti Connect Secure)