SmokeBuster: Keeping Systems SmokeLoader Free

IntroductionIn May 2024, international law enforcement agencies, in collaboration with private industry partners (including Zscaler ThreatLabz), conducted Operation Endgame, disrupting many prominent malware loaders including Smoke (a.k.a. SmokeLoader or Dofoil). This operation led to the seizure of more than 1,000 SmokeLoader command-and-control (C2) domains, and remotely cleaned over 50K infections. However, SmokeLoader continues to be used by multiple threat groups to distribute malware payloads through new C2 infrastructure. To further counter SmokeLoader, ThreatLabz has developed a general purpose tool called SmokeBuster that can be used to detect, analyze, and remove the malware from infected systems. During the development of this tool, ThreatLabz also discovered several bugs in recent versions of SmokeLoader that considerably slow down an infected system. In this blog, we will introduce SmokeBuster and examine coding errors that cause SmokeLoader to significantly degrade an infected system’s performance.

Key Takeaways
ThreatLabz has developed a tool named SmokeBuster to detect, analyze, and remediate infections.
SmokeBuster supports 32-bit and 64-bit instances of SmokeLoader and versions 2017-2022. The tool is compatible with Windows 7 to Windows 11.
SmokeLoader is a malware downloader that originated in 2011. The malware is primarily designed to deliver second-stage payloads, which include information stealers and ransomware.
Despite a major disruption by Operation Endgame in May 2024, SmokeLoader continues to be used by numerous threat groups largely due to numerous cracked versions publicly available on the internet.
The last four versions of SmokeLoader contain coding flaws that significantly impact an infected system’s performance.

SmokeBusterThreatLabz has developed SmokeBuster, a general purpose tool that detects SmokeLoader artifacts including the following:

Mutex names
SmokeLoader code in explorer.exe
Registry values (in version 2017)
Startup shortcut links (in some versions)
Persistence scriptlet (in some versions)
Scheduled tasks (versions 2018-2022)
SmokeLoader executable file
Plugins file

The tool’s features include:

Uninstalling SmokeLoader from the compromised host.
Control SmokeLoader’s threads (terminate, suspend, resume).
Free any memory regions allocated by SmokeLoader.
Remap SmokeLoader memory regions to add write permissions to them.

SmokeBuster currently supports the following command-line arguments:

Argument

Long argument

Description

-u

–uninstall

Uninstall SmokeLoader.

-v

–save-memory

Scan SmokeLoader memory and save the main module to disk.

-p

–delete-tasks

Delete SmokeLoader persistent scheduled tasks.

-w

–make-sections-rwx

Make SmokeLoader memory sections read/write/execute.

-c

–close-mutexes

Close SmokeLoader mutexes.

-k

–kill-thread

Terminate a specific SmokeLoader thread in explorer.exe. (Requires the thread ID). Multiple thread IDs can be separated by commas.

-K

–killall-threads

Terminate all SmokeLoader threads in explorer.exe.

-s

–suspend-thread

Suspend a specific SmokeLoader thread in explorer.exe. (Requires the thread ID). Multiple thread IDs can be separated by commas.

-S

–suspendall-thread

Suspend all SmokeLoader threads in explorer.exe.

-r

–resume-thread

Resume a specific SmokeLoader thread in explorer.exe. (Requires the thread ID). Multiple thread IDs can be separated by commas.

-R

–resumeall-thread

Resume all SmokeLoader threads in explorer.exe.

-m

–unmap-memory

Free SmokeLoader memory regions in explorer.exe.

-h

–help

Show help and exit.

Table 1: Command-line arguments supported by the SmokeBuster tool.

We will briefly highlight a few of the features and how they may be useful for malware analysts and threat hunters.

Foremost, SmokeBuster provides an uninstall command more robust than SmokeLoader’s native uninstall functionality. Note that SmokeLoader’s own uninstall routine leaves artifacts in memory, and some versions do not fully clean up the disk or registry. The SmokeBuster uninstall routine performs the following actions:

Closes SmokeLoader’s mutex handle
Closes SmokeLoader’s open file handles (required to delete files in use)
Deletes the SmokeLoader executable, plugins file, and scheduled task
Deletes installation directories
Terminates SmokeLoader’s threads (or terminates the hollowed explorer.exe process for version 2017)
Unmaps SmokeLoader from explorer.exe
Terminates SmokeLoader plugin processes

Another feature implemented by SmokeBuster allows a malware analyst to terminate, suspend, and resume one or more of SmokeLoader’s threads. One potential use case is to suspend or kill the threads created by SmokeLoader to prevent malware analysis tools from running including debuggers and process monitoring tools.

By default, most versions map SmokeLoader into a PAGE_EXECUTE_READ section in explorer.exe. As a result, debuggers will not be able to set software breakpoints or patch SmokeLoader’s code. However, SmokeBuster can remap SmokeLoader memory sections with PAGE_EXECUTE_READWRITE permissions to enable software breakpoints and patch SmokeLoader’s code as shown below.

Figure 1: SmokeLoader section with default privileges (left) and the same section remapped with the addition of write permissions (right).

The SmokeBuster tool is available in our GitHub repository.

SmokeBuster BugsIn our previous blogs, we analyzed SmokeLoader’s evolution over the past decade. In addition, we presented technical information about Operation Endgame that targeted SmokeLoader infrastructure and remotely cleaned infections. As we previously documented, SmokeLoader primarily consists of two components: a stager and a main module. The stager’s purpose is to decrypt, decompress, and inject the main module into an explorer.exe process. The main module performs the core functionality of the malware including establishing persistence, communicating with the C2 infrastructure, and processing commands.

While developing SmokeBuster, we discovered that SmokeLoader contains numerous bugs. In versions 2018 through 2022, several of these bugs lead to a condition that will cause SmokeLoader to considerably slow down an infected system’s performance. This is due to a combination of coding errors from the persistence implementation, the checks for the presence of running infections, and failures to adequately clean up threads and process memory.

The following figure illustrates the process in which SmokeLoader is executed every 10 minutes via a scheduled task after installation.

Figure 2: SmokeLoader execution process control flow (versions 2018-2022).

After the main module of SmokeLoader is injected into explorer.exe, the malware resolves Windows API dependency names by hash. SmokeLoader then creates two threads to check for the presence of malware analyst tools. If detected, these processes are terminated. These threads run in an infinite loop until a flag is set that indicates that they should terminate.

If a system has already been infected with SmokeLoader, the code checks whether a mutex name exists. If the mutex name exists, SmokeLoader closes the handle to this mutex and terminates the main thread. However, there are several issues that are problematic with this implementation.

First, the anti-analysis threads are always created before the mutex name check, and are not terminated even when the mutex name exists. Furthermore, the stager code does not itself perform any mutex checks. Compounding the issue, is the persistence mechanism schedules a task that executes the SmokeLoader stager executable every 10 minutes, so the main module will be injected into explorer.exe repeatedly. This causes SmokeLoader to create three new threads and allocate about 90 KB of space (for the main module) in the explorer.exe process every 10 minutes. The main thread will exit if the mutex name exists; however, the two anti-analysis threads continue to run.

SmokeLoader version 2018 has yet another potential issue in that there is a connectivity test performed before the mutex check. Therefore, if the infected system does not have internet connectivity, the main thread will continue to execute in an infinite loop, thereby leaving a third running thread per execution. Over time, the lack of a mutex check by the stager, and the lack of a mutex check prior to creating the two anti-analysis threads will significantly degrade an infected system’s performance.

The figure below shows a screenshot of SmokeBuster running shortly after a system is infected with SmokeLoader version 2022. Note that there are three SmokeLoader threads and the main module has been injected into explorer.exe in the memory region 0x6030000 - 0x6046000.

Figure 3: SmokeLoader infection within a minute after execution.

If we run SmokeBuster 10 minutes later, the scheduled task will have executed the SmokeLoader stager. This causes SmokeLoader to inject the main module once again in explorer.exe at the region 0x3BC0000 - 0x3BD6000 as shown in the figure below. In addition, two new anti-analysis threads (thread IDs 1476 and 8292) will have been created. The new main thread will terminate shortly afterwards since the expected mutex name exists. However, this new main thread does not terminate the anti-analysis threads or free the newly created memory section.

Figure 4: SmokeLoader infection after 10 minutes.

After only an hour SmokeLoader will have been injected six times and created 13 (1 main thread + 12 anti-analysis) threads. Thus, an infected system that has been running continuously for 24 hours will have been injected 144 times with 289 (1 main thread + 288 anti-analysis) threads running in explorer.exe.

ConclusionOperation Endgame was the first major international law enforcement disruption of SmokeLoader C2 infrastructure in over a decade. This had a short term impact on the overall threat ecosystem, but SmokeLoader continues to be a popular choice for threat groups to deploy their malware. Since SmokeLoader hasn’t been updated in over two years, tools such as SmokeBuster, which can detect and remediate infections, may hasten its demise. This is particularly evident given that SmokeLoader contains inherent bugs that significantly degrade an infected system’s performance.

Zscaler CoverageIn addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to SmokeLoader at various levels with the following threat names:

Win32.Downloader.Smokeloader

Figure 6: Zscaler Cloud Sandbox Report

Article Link: SmokeBuster Tool | ThreatLabz