On November 8th, the Japanese Meteorological Agency issued an alert about a fake tsunami warning email masquerading as coming from the agency. According to the alert, the email was written in Japanese and asked recipients to click the link to confirm their evacuation area from a tsunami after an earthquake. The link in the email is not critical information to save your life but malware to steal crucial information from you. The malware is Smoke Loader, infamous commodity malware used by various cybercriminals since 2011.
Smoke Loader is a modular loader where attackers can select any payload to be installed on the victim by Smoke Loader. Thus, the final payload can vary between attacks. For example, we previously reported on the Retefe Banking Trojan being distributed by Smoke Loader in Sweden, and Japan. We have also seen backdoors, ransomware, cryptominers, password stealers, Point-of-Sale (PoS) malware, and banking Trojans installed by Smoke Loader.
This attack seems to be aiming to steal credentials from unidentified targets in Japan and took a similar approach to normal targeted attacks. The attacker registered the fake Japanese government agency domain and ensured the file path to the malware on the server is close to the legitimate agency web site. They wrote the lure email in fluent Japanese and did not distribute it broadly. In late November, the attacker started using another commodity malware known as AzoRult. Figure 1 shows the timeline of this attack.
Figure 1 Time line of the attack
Smoke Loader Analysis
Though it’s been seven years since Smoke Loader first appeared, the author keeps updating the code. Malwarebytes published an excellent analysis of Smoke Loader in 2016. The samples we looked at added the following techniques to avoid detection or analysis.
- Code obfuscation by junk jump
- Decrypts subroutines and encrypts them after execution
- Employs PROPagate trick to inject second stage code into an explorer.exe process
- Changes the algorithm of generating the unique ID
- Encrypts network traffics and payload file
Generating a unique ID
Initially, the threat generates a unique ID for the compromised machine from the computer name, the hardcoded static number(0B0D0406), and the volume serial number of the system drive. Smoke Loader uses the unique ID for three purposes:
- Tracking the compromised machine at C2.
- Encrypting payload by the ID.
- Creating random file names for persistence.
Here’s how to create the unique ID. If the computer name is “Test_PC” and the volume serial number is “12345678”, the threat appends the three values like the following:
“Test_PC” + “0B0D0406” + “12345678” = “Test_PC0B0D040612345678”
and it calculates the MD5 hash value of the string,
MD5(“Test_PC0B0D040612345678”) = 41EE612602833345FC5BD2B98103811C
It then appends the volume serial to the hash value and gets the 40 characters unique ID.
“41EE612602833345FC5BD2B98103811C” + “12345678” = “41EE612602833345FC5BD2B98103811C12345678”
Next, Smoke Loader generates two strings based on the first eight characters and the last eight characters of the ID. Following is the algorithm written in Python.
# the unique ID
id = "41EE612602833345FC5BD2B98103811C12345678"
results = ""
for n in _s:
results += chr((ord(n) - 0x30) + ord('a'))
stringA = makeStrings(id[:8]) # "ebvvgbcg"
stringB = makeStrings(id[-8:]) # "bcdefghi"
Smoke Loader uses these strings for the file name. It copies itself as follows.
and it creates following shortcut file to execute the threat when the computer starts.
These two strings look random. However, the attacker always generates two identical strings to the compromised machine since it is based on the static values of the environment.
Smoke Loader contains the following hardcoded C2 address.
An outline of initial C2 communication follows.
- Smoke Loader sends the encrypted data to C2 by HTTP POST method.
- C2 server replies HTTP 404 response (Not Found) with encrypted data.
- Smoke Loader extracts the plugin from C2, encrypts it by using the unique ID, and saves it local disk.
- Smoke Loader extracts the payload modules from the encrypted plugin file and injects them into an Explorer.exe process.
Figure 2 Initial communication
Making initial POST data
Smoke Loader creates the data to send C2. At offset 0, there is a marker ‘E207’ followed by the unique ID (Figure 3). The marker is ‘072E’ in little-endian form and ‘2018’ in decimal. Smoke Loader uses the marker every time communicating with C2.
Figure 3 POST data
Smoke Loader finally encrypts the data with RC4 cipher by using the static key 0x161A9A0C and send it to the C2 by HTTP POST method.
Plugin from C2
The C2 server responds the plugin data contains the final payload with HTTP 404 status code. Smoke Loader obtains the encrypted header size from the first DWORD value of the plugin and decrypts the following bytes with RC4 cipher by the different static key 0x1D17D70A. Figure 4 shows the plugin data after decryption. It then verifies the marker ‘E207’ and gets the plugin size which is defined in the “plugin_size’ variable.
Figure 4 Reply data from C2
After checking the plugin size, Smoke Loader encrypts plugin data with an RC4 cipher using the unique ID and saves it as the following path with the generated string from the ID. Since the file is encrypted with the distinct value to the machine, the file hash is always different on each computer even if the plugin is identical.
Then Smoke Loader decrypts the saved plugin data. The plugin data has thirteen-byte length header and consists from following values.
|0x04||DWORD||Plugin marker, 0xD5A08DD8|
|0x08||DWORD||Unknown, possible plugin identifier|
|0x0C||BYTE||Number of modules in the plugin|
Table 1 Plugin header
The plugin can contain multiple modules. In the case of this tsunami campaign, the payload contains six modules. Each module has a header that includes its size and RC4 key to decrypt.
Figure 5 Plugin header and module header
Smoke Loader decrypts a module with RC4 cipher by the specified key. After verifying architecture flag (64 bit or 32 bit) in the module, the threat executes Explorer.exe process and injects the module into the process. Since the threat repeats this the number of modules times, there should be multiple Explorer.exe processes on the compromised machine.
Table 2 shows the list of modules in this campaign. There are three types of functions in two architectures.
|1||32 bit||Stealing stored credential from browsers and email programs|
|2||64 bit||Incomplete porting of Module 1|
|3||32 bit||Stealing data sending from Browsers|
|4||64 bit||Same with Module 3|
|5||32 bit||Stealing login credential from email protocols|
|6||64 bit||Same with Module 5|
Table 2 Module list
When injecting modules, Smoke Loader passes the configuration data including the following values to the modules for C2 communication. Each module has exact same C2 communication code with the loader.
- RC4 encryption key for HTTP POST
- The unique ID
- C2 URL
This module aims to steal stored credentials in following programs.
- Internet Explorer
Module 2 contains a partial code of Module 1 but appears to be in the under development phase.
Modules 3 and 4
These modules hook APIs and steals all data being sent data from following browsers.
- Internet Explorer
Modules 5 and 6
These modules hook APIs and steals user id, password, and their associated remote ftp and email server addresses on following protocols.
- FTP on port 21
- SMTP on port 25, 587, 2525
- POP3 on port 110
- IMAP on port 143
Infrastructures and another tools
A person registered the domain name jma-go[.]jp on Oct 30, 2018. The domain does not have a second level domain name, such as .co.jp nor .ne.jp. It is defined as General-use JP domain name by JPNIC. In the definition, JPNIC described the registration requirements of the general-use JP domain name as following.
‘In the general-use JP domain name system, we have established what we call a “local presence” prerequisite, which asks for a connection or relationship with Japan.‘
According to the Whois information of the domain, the domain was owned by a person who has a postal address in Russia and uses a Gmail address. The registrant may change the postal address after registration or could prove a connection or relationship with Japan.
The same person also registered another eight domains with the same Gmail address. We found that the three of the domains were used in attacks involving the Android banking trojan/password stealing malware, Marcher from Feb to March in 2018. We haven’t identified the targets of the mobile malware yet. Following is the sample list.
Table 3 Domains and Marcher hashes
On November 25, we confirmed that another malware, AzoRult, was served from the same URL previously serving Smoke Loader. AzoRult is also a commodity malware that steals credentials, cookies, and cryptocurrencies. This AzoRult accesses the following C2 address, which is a different path on the same C2 server with the Smoke Loader.
We observed three AzoRult samples using the same C2 at the time of writing this blog. The attacker distributes those files from following URLs.
thunderbolt-price[.]com was registered in 2012 in Japan, and the Privacy Protection Service protects its registrant information. The website of the domain does not host content at the top page as of today. According to the Google search, the domain appears in shopping related pages from 2014 to 2015. Interestingly, those web pages are low-quality and mostly hosted on hacked web servers. These web pages are likely created for malicious Search Engine Optimization (SEO) backlinks which gain scores for better page rank in the search engine results. Figure 6 is a ladies’ shoes shopping web page hosted on the website of a construction and building materials company in Turkey.
Figure 6 SEO backlinks on hacked site
The domain may have been used for a shopping or affiliate site previously, but the owner does not use it for that purpose anymore. It looks like the attacker compromised the website, which had not been used for few years, and is using it for distributing AzoRult. However, we don’t know the connection between the attacker and the current owner of the thunderbolt-price[.]com.
Table 4 shows the timetable of infrastructure changes and timestamp of malware.
|Oct 30, 2018||Registers jma-go[.]jp domain|
|Nov 5, 2018||Smoke Loader
|Nov 6, 2018||Smoke Loader
|Nov 8, 2018||Smoke Loader
|Nov 9, 2018||Smoke Loader
|Nov 15, 2018||Smoke Loader
|Nov 24, 2018||AzoRult
|Nov 25, 2018||Smoke Loadera
|Nov 27, 2018||AzoRult
|Nov 30, 2018||Changes the IP address associates with jma-go[.]jp
from 47.74.255[.]111 to 149.129.135[.]53
|Dec 3, 2018||AzoRult7
Table 4 Timetable
Commodity malware is widely used by cyber criminals these days. The authors of malware keep updating the code to expand the capabilities and trying to gain more customers. As we detailed in this article, Smoke Loader encrypts network traffic and files with various keys to avoid analysis. We recently published a report of a new variant of AzoRult that introduces a new advanced obfuscation technique to evade detection by security products. Attackers, like those in this tsunami campaign, can pick up malware fitting for their purpose from online threat marketplaces.
Palo Alto Networks customers are protected from this threat in the following ways:
- AutoFocus customers can track these samples with the Smoke Loader, AzoRult and Marcher.
- WildFire detects all files mentioned in this report with malicious verdicts.
- Traps blocks all of the files described in this article.
Smoke Loader Samples
.bits domain support
Smoke Loader supports .bit Top Level Domains (TLD). Author of the threat includes the following hard-coded DNS servers to resolve .bit domains. Though we haven’t seen any .bit domain in Tsunami campaign, we listed the IP addresses just in case for another attack by the threat.