Smoke Loader is a botnet software that is publicly available since 2011 on the black market. It is old but still active, just in the last six months we have seen more than 1,500 active samples.
Although it has been repeatedly exposed by different security researchers in recent years, the public available documents we have seen are all missing an important part of this botnet software, the admin panel. We are not quite sure why no one seems to have talked about it except citing screenshot shared by the possible malware author in the underground forum.
We also noticed the existence of a bunch of special modified samples, these samples also caught attention by other researchers. There is a theory that the original author did this as an effort to hide the C2 to make it more difficult to be taken down. We have a different thought, we think that there are 3rd party out there who do not want to pay the original author fees to update C2 so they released these patched versions.
So here are some details:
Smoke Loader Kit
The file structure in the kit is shown in the following figure,
- Core File, Loader_new_Cyberbunker.exe, working payload to be injected to the processes of the infected hosts.
- Web Console, this is the Admin Panel
- Plugins, including panel/mods and panel/keylogger, etc.
- Mysql database build script smoke_1.sql, where plugin rules are stored
- Smoke Loader Feature Introduction, smoke_features.txt
- Installation Notes
Admin panel
After deploying it, we get a web control interface, which is the Smoke Loader’s admin panel. It just looks very similar to the screenshots security researchers found from the underground market.
The admin panel supports the following 12 modules (For details, refer to the smoke_features.txt) file comes with the kit:
- STEALER
- FORM GRAB
- PASS SNIF
- FAKE DNS
- FILE SEARCH
- PROCMON
- DDOS attack
- KEYLOGGER
- HIDDEN TV(team viewer)
- MINER
- EMAIL GRAB
- User-defined program
The modules’ storage location and execution are different:
- The first eight functions, from ” STEALER” to “KEYLOGGER” refers to Panel/mods/plugins, this single file is actually a collection of 16 plug-ins. The 16 executables can be loaded by injecting into seperate explorer.exe process on victim hosts.
- Hidden TeamViewer and MINER: under path Panel/mods/tv and Panel/mods/minerXX correspondingly. (Both can be loaded by downloading the corresponding plugin then be injected as subprocess.)
- User-defined program: User can load any malicious program that he likes, either directly from the console or downloaded from a user specified URL. The execution process is also flexible,( it can be executed directly, or be loaded as a dll, or even directly be injected in the process.)
Plugin
Smoke Loader’s plugin system is very flexible. When it first launches, it tries to download all the built-in plug-ins and their execution rules. Customers can also add their own plug-ins and plug-in rules.
A total of 16 plug-ins have been disassembled by decrypting the plugin file, some of which have the same function but are adapted to different versions of the operating system. When running on our test machine, we can see that it creates 9 subprocesses, each running a plugin. Note that although these process names are seemingly harmless as explorer.exe, they have been injected with plug-in payloads and are malicious. For details of the specific injection method, see Reference [1].
More plugin details include:
- Mining plugin : It downloads the corresponding miner program (process wauuclt.exe) with the startup parameters to perform the mining task when it receives the mining instruction from C2.
- DDoS plugin : Many common DDoS attack types, such as http get flood, http post flood, download flood, udp flood, syn flood, tcp flood, https get flood, http slowloris flood
- Form Information Stealing Plugin : Supports common browsers including IE, Firefox, Chrom, Opera, Chromium, Yandex browser, Amigo browser, QQ browser, outlook, Thunderbird
“Deception” or “Piracy” ?
It has been reported that the recent Smoke Loader has an updated version [2] to defer security researchers’ effort to extract its’ C2s, we have also observed a similar set of samples but we have a different theory.
We believe that this version of the changes came from a third party rather than the original author, the purpose is to break the limitations of the original author’s rule which requires extra fee to update C2 after purchase.
Smoke Loader is available for about $850 in the black market. The author uses a license sales model to release a customized system for each buyer, including Loader+Panel. It’s worth noting that if buyer wants to change C2 he need to regenerate the Loader, and each rebuild of a Loader costs $10.
With the above background info, let’s go back to these special samples we have, all together there are 88 samples. And one thing in common is that all of them have two “extra” residual C2 URLs that are not valid:
- hxxp://185.35.137.147/mlp/
- hxxp://185.35.137.147/mlp/
With this information, we looked into our samples pool and have associated other original samples that only used these “extra” C2 as the only valid C2.
Here are some highlights between the original version and the modified version:
- Residual C2 URLs : all modified versions share the exact same residual C2 URLs, suggesting that this set of samples have the same root;
- C2 configuration : the original samples encrypt the C2 configuration, and the modified samples store it in plaintext;
- Active and standby C2 mechanism : The original samples have backup C2 mechanism, but not in the modified samples;
- C2 verification mechanism : The original samples determine whether to install the startup item and whether to load the plug-in by verifying the CRC32 values of the two C2 first. The modified version directly overwrites the verification code with the NOP assembly empty instruction, and skips the verification mechanism all together.
The modified version circumvents the limitation set by the author, but it comes with a price, only one valid hard-coded C2 is supported. The network behavior of the samples and our statistics both confirm this.
Three Key Patch Codes in the Modified Version
There are three key patches in the modified version:
- Patch 1 : to replaces the decryption function for the C2 configuration information, the C2 is written plaintext in the code. When the decryption function is called, C2 address is returned directly. As can be seen from the figure below, the C2 returned by each decryption function call is a direct “hxxp://jsoc8492.us/jd/” ;
- Patch 2 : to overwrite the code that verifies the first C2. The original sample is supposed to calculate the CRC value of the first C2, and then compare it with the encryption key. If it is mismatched, the plugin will not be loaded;
- Patch 3 : similar to above, just to work on the second C2;
Other Interesting Details
Loader
The Loader consists of an injector and a payload. The injector is responsible for some basic anti-sandbox and anti-reverse engineering tasks, and eventually injects the payload into the explorer process. The payload is the real working code.
The 2018 version of the injector uses the PROPagate’s packed injection solution, which is mentioned in Talos’ documentation. Typically, buyers of Smoke Loader adds their own packaging scheme to pack Loader before spreading malicious programs through various channels. Therefore, the popular samples normally have two to three shells.
Registration Packet and C2 Command Communication Format
After the sample launches, it sends a packet to register with the controller. We have yet to see a public document which details the data structure of the 2018 version, but with the files on hand we were able to easily figure it out.
Here is the register packet’s format:
Here are several fields’ description:
- AFFID : Also called Seller ID, this is to ID the distribution channel, it is hard coded into the sample by the author. The most common values are Good, cece and new1, and about 15% of the samples only have an empty field here;
- BOT_WINVER : The target host OS version. It seems that all current Windows Personal Edition systems from WinXP to Win10 are supported. See the figure below;
- BOT_RES : Smoke Loader has two sub version, the non-resident version only runs one time and then removes itself from the victim. Another resident version stays on the victim. This tag is used to distinguish it;
- BOT_CMD : The instruction number, there are 15 instructions defined by the console, as shown in the figure below.
4. IoC Statistics
Here is some basic statistics for the samples we collected in the past six months:
- Samples: 1656
- C2: 296
- Affid: 42
Number related to modified version:
- Original version vs modified version: 1568 vs 88
- Number of C2 URLs in modified version: 27
- Domain names involved in the C2 URLs: 15
Grouped by Affid (Seller ID), the sample statistics are as follows. Among them, Good, Cece, and new1 are the top 3 channels, accounts for 88%. NA is the case where the Affid is empty:
affid count % Good 826 49.9% cece 395 23.9% [NA] 238 14.4% new1 77 4.7% 1501 21 1.3% 0 13 0.8% Pitt 12 0.7% 1301 9 0.5% sel1 7 0.4% Form 5 0.3% OTHER 52 3.1% 5. IoC
Malware Sample md5s in last 6 months
The whole list has more than 1,500 entries and can be downloaded here. The first ten records are listed below:
001dacf6608df69d485514a172fff05d 00521a5e800a85de875b703e9bc1f507 00891f91904955fb69fad4488f96741a 008d5eb400e41fcb87ef64db276013dc 009e213b63a4830adf5df372261ae6b0 00b8a47bdf14880ebeba6bebc3ea7dbc 00c5063e13752357b35c097c4c0f7059 00eef71e18381a537b1750c7f2983025 01162c00d54b976536d692173ef3e039 013748c007f80fb7cc2c42ca424e4733 Malware C2 in last 6 months
The complete list has more than 250 C2 entries, and can be downloaded here , and below are the first ten records. The format is as follows.
- version : version number
- req_key : rc4 encryption key for sending data
- res_key : rc4 decryption key for receiving data
- remaining_c2 : the residual C2 in the modified version
- affid : Seller ID
- Md5 count : how many independent samples contain this C2
Some details about the C2 list:
- Most of the samples have 2 to 5 C2s, but there are a few samples containing a much larger number such as 75 C2;
- Some samples change their reqkey, reskey when they get upgraded;
# NA C2 version req_key res_key remaining_c2_if_exists affid md5_count 0 http://makak.bit/2/ 2018 0xe5400000 0xa6b397e0 Good 826 1 http://mytter.ru/2/ 2018 0xe5400000 0xa6b397e0 Good 826 2 http://svoloch.club/2/ 2018 0xe5400000 0xa6b397e0 Good 826 3 http://d3s1.me/2/ 2018 0x3b22e540 0xa6b397e0 cece 395 4 http://kiyanka.club/2/ 2018 0x3b22e540 0xa6b397e0 cece 395 5 http://proxy-exe.bit/2/ 2018 0x3b22e540 0xa6b397e0 cece 395 6 http://5gssghhs2w.org/2/ 2018 0xe5400000 0xa6b397e0 new1 77 7 http://dvhwzq.ru/2/ 2018 0xe5400000 0xa6b397e0 new1 77 8 http://hdxaet.ru/2/ 2018 0xe5400000 0xa6b397e0 new1 77 9 http://hghwwgh6.info/2/ 2018 0xe5400000 0xa6b397e0 new1 77 Contact Us
Readers are always welcomed to reach us on twitter, WeChat 360Netlab or email to netlab at 360 dot cn.
Reference
- [1] https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html
- [2] https://int0xcc.svbtle.com/a-taste-of-our-own-medicine-how-smokeloader-is-deceiving-dynamic-configuration-extraction-by-using-binary-code-as-bait
- [3] https://www.cert.pl/en/news/single/dissecting-smoke-loader/