This time we will have a look at another payload from recent RIG EK campaign . It is Smoke Loader (Dofoil), a bot created several years ago one of its early versions was advertised on the black marker in 2011. Although there were some periods of time in which it was not seen for quite a while, it doesn’t seems to plan retirement. The currently captured sample (version 6.1 ) appears to be updated in 2015.
This small application is used to download other malware. What makes the bot interesting are various tricks that it uses for deception and self protection.
We will walk through the used techniques and compare the current sample with the older one (version 5.1 ).
Analyzed samplesMain focus of this analysis is the below sample, which is dropped by Rig EK:
bce202c021feb61783563e21fc026767 original sample d363e8356c82a1043bb300c12c6c7603 unpacked (Stage#1) 8932d2eacc4dfc7b2f0a94363a854610 core DLL (Stage#2)The above sample downloads:
Payload:
f60ba6b9d5285b834d844450b4db11fd (it is an IRC bot, C&C: med-global-fox[DOT]com)Updated Smoke Loader:
bc305b3260557f2be7f92cbbf9f82975 original sample c8ec8ecc47b05074f5136e79b680fe9e unpacked (Stage#1) 8932d2eacc4dfc7b2f0a94363a854610 core DLL (Stage#2) same as the previous sampleDuring the analysis it will be compared against the old sample , first seen in September 2014
efa7f95edacec888f39e5ce0ee675a95 original sample (distributed via spam) 266319c97292842ce554d53806449dda unpacked (Stage#1) c52f0bf75bebf12a2e7a65b8c8af72d4 core DLL (Stage#2) Behavioral analysisAfter being deployed, Smoke Loader inject itself into explorer.exe and deletes the original executable. We can see it making new connections from inside the explorer process.
Installation and updatesSmoke Loader not only installs its original sample but also replaces it with a fresh version, which is downloaded from the C&C path: http://<CnC address>/system32.exe . This trick makes detection more difficult updated samples are repacked by a different crypter, may also have their set of C&Cs changed.
During the current analysis, the initial sample of Smoke Loader dropped the following one: bc305b3260557f2be7f92cbbf9f82975
Sample is saved in a hidden subfolder, located in %APPDATA%:
Smoke Loaded adds its current sample and all other downloaded executables to the windows registry. Names of the keys are randomly chosen among the names of existing entries:
This persistence method is pretty simple (comparing i.e. withKovter), however there are some countermeasures taken against detection of the main module. The timestamp of the dropped executable is changed, so that malware cannot be found by searching recently modified files. Access to the file is blocked performing reading or writing operations on it is not possible.
Loading other executablesDuring its presence in the system it keeps downloading additional modules “plugins”. First, the downloaded module is saved in %TEMP% under a random name and run. Then, it is moved to %APPDATA%. Below, we can see that the payload established connection with its own separate C&C:
There is also a script in Autostart for deploying the payload:
Network communication
To make analysis of the traffic harder, along with communicating with the C&C bot generates a lot of redundant traffic, sending requests to legitimate domains.
The current sample’s C&C addresses:
smoktruefalse.com prince-of-persia24.ruTraffic is partially encrypted.
In the examples below, we can see how the bot downloads from the C&C other executables.
1 Updating the main bot with a new sample of Smoke Loader:
2 Downloading the additional payload (“plugin”):
Payload traffic
Smoke Loader deploys the downloaded sample, so after some time we can see traffic generated by the payload (connecting to med-global-fox.com ). By its characteristics, we can conclude that this time the “plugin” is an IRC bot:
Inside
Like most of the malware, Smoke Loader is distributed as a packed file by a crypter that provides the first layer of defense against detection.
After removing the crypter layer, we can see the main Smoke Loader executable. However, more unpacking needs to be done in order to reach the malicious core. For the sake of convenience, I have tagged the code section of the unpacked sample as Stage#1 . Its execution starts in the Entry P