Tuesday, 10 October 2017

Evasions and IOCs of SmokeLoader in the Wild

In this article, I would like to explain how to identify whether a given binary is SmokeLoader or not.

Spam campaigns have been active since the past few months spreading SmokeLoader. I am not going to explain the unpacking process in this article because it is quite straightforward and already covered in some other articles.

However, this article will explain you the IOCs, Evasion indicators and Network Callback Indicators to help conclude whether a given binary is SmokeLoader.

Note: Some of the indicators below may correspond to other Malwares as well. So, it's important to look at the complete collection of activities performed before concluding it is SmokeLoader.

VB Compiled Binary

The samples of SmokeLoader found in the wild make use of VB compiled binaries, so you should see MSVBVM60.dll in the Import Directory.

Anti Debugging Techniques

Following two anti debugging techniques are used during the unpacking process:

a) Check PEB for BeingDebugged Flag value.
b) Check PEB for NtGlobalFlags value.

Environment Checks

After unpacking the binary, we observe that two threads are created (refer Figure 1) where each thread performs a scan in the system to identify Security tools. If it identifies any security tools then it terminates those processes.

Figure 1

Process Name Check

It enumerates the running processes in the system using CreateToolHelp32Snapshot/Process32First/Process32Next (refer Figure 2).

Figure 2.

And then for each process, it does the following:

a) Calculate length of process name.
b) Calculate a 0x4 byte hash using the length of process name and the process name itself as shown in Figure 3.

Figure 3

c) This 0x4 byte hash is compared against a table of precomputed hashes. If it matches any one of them, then the corresponding process is terminated as shown in Figure 4.

Figure 4.

Here is the list of hashes: ['0xb4a1d05', '0x19195c02', '0x1c0e041d', '0x6185d0b', '0x1d07120a', '0x60b5118', '0x550e1e0d', '0x51565c47', '0x4114c14', '0x5f4e5c04', '0x14585a12', '0x145e5c14']

Window Class Name Check

Here, the binary enumerates the top level windows in the system using EnumWindows (refer Figure 5).

Figure 5

And then for each Window, it does the following:

a) Calculate the length of Window Class Name.
b) Calculate a 0x4 byte hash using the length of window class name and the window name itself.
c) This 0x4 byte hash is compared against a table of precomputed hashes. If it matches any one of them, then the process corresponding to the Window Class name is identified using GetWindowThreadProcessId and then it is terminated.

Here is the list of hashes: ['0xb4a1d05', '0x19195c02', '0x1c0e041d', '0x6185d0b', '0x1d07120a', '0x60b5118', '0x550e1e0d', '0x51565c47']

Volume Serial Number Check

It Calls the API, GetVolumeInformationA() to get the Volume Serial number and compares it against the values: 0x0cd1a40 and 0x70144646 as shown in Figure 6.

Figure 6

Config Decryption

SmokeLoader has a specific configuration which it re-uses multiple times during the process of execution. This config is stored RC4 encrypted and it uses a 0x4 byte RC4 key for decryption.

The decrypted config is shown in Figure 7.

Figure 7

I'll explain the purpose of some of the fields in the config below:

http://www.bing.com/ - To check Internet Connectivity
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run - Windows Registry key for Persistence
Software\Microsoft\Windows\CurrentVersion\Run - Windows Registry key for Persistence
Software\Microsoft\Windows\CurrentVersion\Uninstall - To Enumerate the list of Installed Softwares.
sample - Looks for this string in the Process Command Line path
System\CurrentControlSet\Services\Disk\Enum - Windows Registry Key checked to identify usage of Virtualization Environment
advapi32.dll - It gets the timestamp details of advapi32.dll and uses this to set the timestamp details of dropped binar
explorer.exe - The target process in which code needs to be injected

Below are the list of modules it has to load during the process of execution:


HelpLink - It looks up this Registry Key value for each Installed Software to get the corresponding URL
URLInfoAbout - It looks up this Registry Key value for each Installed Software to get the corresponding URL

It checks whether the modules corresponding to known Sandboxes are loaded or not.


The following strings are checked in the Registry key: System\CurrentControlSet\Services\Disk\Enum to detect the presence of Virtualization Environment.


Code Injection

SmokeLoader performs code injection in explorer.exe process using the concept of Section mapping. It modifies the entry point of explorer.exe process by adding a trampoline which points to the injected code as shown in Figure 8.

Figure 8

Sequence of APIs used in code injection:


Indicators Of Compromise

1. Binary creates a copy of itself in the path: %Appdata%\Microsoft\<random_name>\ directory with the filename, <random_name>.exe
2. It adds the ZoneIdentifier ADS to the dropped binary, so it looks like: %Appdata%\Microsoft\<random_name>\<random_name>.exe:ZoneIdentifier
3. It uses the Timestamp details of a legitimate system module like advapi32.dll to set the Timestamp details of the dropped binary.
4. Deletes the original binary.
5. Sets the file attributes of the dropped binary to SYSTEM|HIDDEN
6. Sets the Persistence Registry Key: \REGISTRY\USER\<SID>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ to the path of dropped binary.

Windows Persistence Mechanism

For persistence, it adds the path of the dropped binary to the Windows Registry Key as mentioned above. However, one interesting function performed by SmokeLoader is to monitor any changes made to this Registry Key by using RegNotifyChangeKeyValue() API using the notify filter, REG_NOTIFY_CHANGE_LAST_SET.

It registers an event to monitor changes made to the Registry Key and if any change is detected then it reverts the change as shown in Figure 9.

Figure 9

Network Callbacks

SmokeLoader is known to perform a lot of Network Callbacks to legitimate domains by sending HTTP POST requests. The data sent in the POST requests to these sites is randomly generated.

How does SmokeLoader fetch the list of URLs to send the HTTP POST request to?

1. It calls RegEnumKey and enumerates the list of Installed Softwares.
2. For each installed software, it looks up the value of HelpLink and URLInfoAbout keys, if it finds a URL, then it randomly generates data and sends a POST request to it.

I will add more details of indicators to this blog so that it serves as a future reference.

No comments:

Post a Comment