Home Malware Programs Trojans SmokeLoader

SmokeLoader

Posted: July 10, 2018

Threat Metric

Threat Level: 8/10
Infected PCs: 13,645
First Seen: December 15, 2012
Last Seen: February 2, 2022
OS(es) Affected: Windows

SmokeLoader is a Trojan downloader that may drop additional threats on your PC, including cryptocurrency-mining Trojans and spyware. Victims should assume that infection scenarios also include the potential leaking of their private data and backdoor access remote attackers. Always allow a dedicated anti-malware product to assist with removing SmokeLoader and any other threatening software that it may drop onto your PC.

Seeing through the Haze of Recent SmokeLoader Campaigns

Trojan downloaders and droppers are some of the most flexible threats in the threatening software industry and include ones with highly-dedicated payloads, along with those using configurable or rental models. Some of the newest attacks exploiting the features of SmokeLoader infections are appropriate demonstrations and show how this Trojan can operate in different positions of a chain of infections especially. However, the final step is always the installation of another threat with invasive features that may violate the user's privacy or hijack their PC's hardware.

Campaigns circulating SmokeLoader are using both corrupted e-mail attachments and Web browser-running vulnerabilities for exposing new victims to this threat. Depending on the essence of the attack, it may drop or undergo dropping by another threat, such as banking Trojans like Trojan.TrickBot. Although SmokeLoader has a small file size, it includes generous downloading and plugin support for running additional software with compartmentalized attack features.

As of some of the latest attacks,

    malware experts are confirming the following threats as having associations with SmokeLoader, which may run them through disguised 'explorer.exe' processes:
    • SmokeLoader can run XMRig, a cryptocurrency-mining application that generates the Monero currency. Miners may use excessive system resources, cause performance issues, and, in extreme circumstances, instigate hardware burnout.
    • Trojan.TrickBot also is sometimes the result of a SmokeLoader infection, rather than the cause of it, and includes features for exfiltrating confidential online banking information.
    • Additional modules may use various methods, such as hooking into other processes, for collecting highly-specialized types of data, ranging from Web-browsing cookies or the contents of the Windows Credential Manager to FTP and SMTP credentials. TeamViewer's remote desktop software, also, is a prominent target.

    Waving Off a Load of Software Smoke

    Out of the most recent distribution efforts for SmokeLoader, malware experts are noting corrupted Word documents and the RIG Exploit Kit as being two of the primary infection vectors. Users should avoid enabling macros in unexpected e-mail-attached documents, which are usual means of circulating various threats. Careful Web-browsing settings, such as disabling JavaScript or advertisements, also may keep EKs from running automatically. Any exposure to a drive-by-download attempt can include non-corrupted websites with advertisements or other content that threat actors are hijacking automatically, along with the usual, dedicated corrupted domains (such as a fake software piracy website).

    SmokeLoader's emphasis on downloading features makes it extremely likely that infections will include additional threats that this article may not outline. Cryptocurrency-mining software may or may not cause detectable symptoms or any long-term damage to the PC's hardware, but spyware-dedicated threats rarely show any symptomatic behavior. Users should protect their computers with active anti-malware solutions for deleting SmokeLoader preemptively, when possible, and re-secure their sensitive data by appropriate means, such as changing all passwords, afterward.

    What size a Trojan is doesn't give much of an indication of how threatening it is to a computer. When countless threat actors are using the minuscule SmokeLoader for such variable purposes, predicting what it can do is more difficult than blocking off its attacks as early as is possible.

    Technical Details

    File System Modifications

    Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

    The following files were created in the system:



    file.exe File name: file.exe
    Size: 262.14 KB (262144 bytes)
    MD5: a34ad9fadd373ce0f46b1c0497758577
    Detection count: 82
    File type: Executable File
    Mime Type: unknown/exe
    Group: Malware file
    Last Updated: June 1, 2017
    file.exe File name: file.exe
    Size: 135.16 KB (135168 bytes)
    MD5: 3b2ac28bad7dc336ec67851099a86221
    Detection count: 54
    File type: Executable File
    Mime Type: unknown/exe
    Group: Malware file
    Last Updated: March 31, 2017
    c:\programdata\e77aae40\b30d7fb8\atx222.exe File name: atx222.exe
    Size: 960.51 KB (960512 bytes)
    MD5: 7a2323d5dac16e3063b6c53d5dc51ab4
    Detection count: 16
    File type: Executable File
    Mime Type: unknown/exe
    Path: c:\programdata\e77aae40\b30d7fb8
    Group: Malware file
    Last Updated: August 24, 2019
    file.exe File name: file.exe
    Size: 208.89 KB (208896 bytes)
    MD5: 95394ac344aef9adb66e4d2ec662df03
    Detection count: 2
    File type: Executable File
    Mime Type: unknown/exe
    Group: Malware file
    Last Updated: June 4, 2017
Loading...