A powerful form of malware which can be used to distribute threats including Trojans, ransomware[1] and malicious cryptocurrency mining software[2] has been updated with a new technique which has rarely been seen in the wild.
Distributed in spam email phishing campaigns[3], Smoke Loader has been sporadically active since 2011 but has continually evolved. The malware has been particularly busy throughout 2018, with campaigns including the distribution of Smoke Loader via fake patches[4] for the Meltdown and Spectre vulnerabilities[5] which emerged earlier this year.
Like many malware campaigns, the initial attack is conducted via a malicious Microsoft Word attachment which tricks users into allowing macros, enabling Smoke Loader to be installed on the compromised system and allowing the Trojan to deliver additional malicious software.
Researchers at Cisco Talos have been tracking Smoke Loader for some time and have seen its latest campaigns in action[6]. One of the current preferred payloads is TrickBot[7] - a banking Trojan designed to steal credentials, passwords and other sensitive information. Phishing emails distributing the malware are designed to look like invoice requests from a software firm.
A phishing email used to deliver Smoke Loader. Image: Cisco Talos
What intrigued researchers is how Smoke Loader is now using an injection technique which hadn't been used to distribute malware until just days ago[8]. The code injection technique is known as PROPagate and was first described as a potential means of compromise late last year[9].
This technique abuses the SetWindowsSubclass function - a process used to install or update subclass windows running on the system - and can be used to modify the properties