Like many malware campaigns, the initial attack is conducted via a malicious Microsoft Word attachment which tricks users into allowing macros, enabling Smoke Loader to be installed on the compromised system and allowing the Trojan to deliver additional malicious software.
Researchers at Cisco Talos have been tracking Smoke Loader for some time and have seen its latest campaigns in action. One of the current preferred payloads is TrickBot -- a banking Trojan designed to steal credentials, passwords and other sensitive information. Phishing emails distributing the malware are designed to look like invoice requests from a software firm.
What intrigued researchers is how Smoke Loader is now using an injection technique which hadn't been used to distribute malware until just days ago. The code injection technique is known as PROPagate and was first described as a potential means of compromise late last year.
This technique abuses the SetWindowsSubclass function -- a process used to install or update subclass windows running on the system -- and can be used to modify the properties of windows running in the same session. This can be used to inject code and drop files while also hiding the fact it has happened, making it a useful, stealthy attack.
It's likely that the attackers have observed publically available posts on PROPagate in order to recreate the technique for their own malicious ends.
Those behind this process have also added anti-analysis techniques to complicate forensics, runtime AV scanners, tracing, and debugging that any researchers may attempt to conduct on the malware.
While there's still plenty of Smoke Loader attacks which look to deliver additional malware to compromised systems, in some cases the malware is being equipped with its own plug-ins to go straight onto performing its own malicious tasks.
Each of these plugins are designed to steal sensitive information, specifically stored credentials or sensitive information transferred over a browser -- the likes of Firefox, Internet Explorer, Chrome, Opera, QQ Browser, Outlook, and Thunderbird can all be used to steal data.
The malware can even be injected into applications like TeamViewer, potentially putting the credentials of others on the same network as the infected machine at risk too.
It's possible that Smoke Loader has been equipped with these tasks because its operators aren't currently getting much business in response to adverts on dark web forums advertising their ability to install other types of malware onto their compromised network of machines. It could also just be a means of taking advantage of the botnet for their own purposes.
Either way, it indicates that organisations must remain vigilant against potential threats.
"We have seen that the trojan and botnet market is constantly undergoing changes. The players are continuously improving their quality and techniques. They modify these techniques on an ongoing basis to enhance their capabilities to bypass security tools. This clearly shows how important it is to make sure all our systems are up to date," wrote Cisco Talos researchers.
"We strongly encourage users and organizations to follow recommended security practices, such as installing security patches as they become available, exercising caution when receiving messages from unknown third parties, and ensuring that a robust offline backup solution is in place. These practices will help reduce the threat of a compromise, and should aid in the recovery of any such attack," they added.