SmokeLoader trojan - How to remove

While Fifa World Cup 2018 is taking place the new virus releases have decreased significantly, and yet it seems like this event didn’t affect the old malware, whose updated variants are coming back to life ready to shake the ground of the virtual world. A few days ago we wrote about Zacinlo, which after a few years breaks started causing mayhem again, and today we present another veteran parasite SmokeLoader (also known as Smoke Loader, Dofoil, Sharik).

The newest version of SmokeLoader is not only a trojan but also a coin miner, moreover now instead of spamming it uses an exploit kit as a more sophisticated intrusion technique. Although the main features of SmokeLoader malware stayed identical making it still not that hard to detect (if you have a decent antivirus) yet this trojan is very dangerous and can do much harm to your system.

What can SmokeLoader do

Smoke Loader is a trojan that after getting into the computer using sneaky techniques brings several modules that will steal data about you from pretty much any place on your system and will bring it to the hackers. Later crooks will sell or use your information to gain the revenue. What is more, this already a sophisticated and flexible trojan now has another way to bring money to its creators – by profiting from the cryptocurrency mining (similar to XMRIG miner), dropping a miner with other plugins.

After the trojan slithers in the Smoke Loader’s executes shellcode to continue the setup. What is interesting that the Dufoil, Sharik or SmokeLoader instead of payloads bring five plugins that must do all the dirty work. These plugins are made to collect all possible sensitive data they can find in browsers and other applications that users might have entered and transferred through a browser. 

Every plugin uses the mutex ‘opera_shared_counter’ so that they would not apply the code into the same place at the same time to avoid the visible damage. Each of them has their own Explorer.exe process to perform in. For further details read Ben.

• First plugin – the biggest plugin that contains 2000 functions that target all browser and other applications like Outlook, Thunderbird and etc. and copy the credentials, hostname, any valuable personal information from emails, login attempts and so on.
• The second plugin – seeks files in directories that might have an archived personal information such as: *.pst, *.ost, *.mab, *.msf and etc.
• The third plugin – infects browsers and steals credentials and cookies that are passed through HTTP/HTTPS.
• The fourth plugin – attempts to steal credentials for data transfer protocols ftp, smtp, imap, pop3.
• The fifth plugin – copies the code to the TeamViewer.exe to also steal personal data.

As you can see this malware has really well-thought ways on how to get the data from the users. Moreover, malware researchers noticed that SmokeLoader sometimes drops TrickBot as a payload, and vice versa TrickBot fetches Smoke Loader. For this reason, Dufoil/Sharik/Smokeloader trojan becomes really dangerous for banks and similar institutions which save really important data which could be used to benefit.

How can Smoke Loader virus spread

The earlier versions of SmokeLoader trojan would spread via spam emails and infected Office macros which if enabled would start a malicious software and plugin download chain. Although, the latter malspam trickery is truly apparent and not hard to notice for any more experienced user, yet it got many people into a trouble, especially the mobile email clients that only see the name of the sender and not the domain or the companies’ HRs which often have to work with emails containing people’s Resumes.

These emails would say ‘Website Job Application’ and contain a Word document attachment with a random name of a person: Arlene’s Resume.doc, Boris’s Resume.doc, Cynthia’s Resume.doc, Diane’s Resume.doc and many other. (VirusTotal) But soon, because people became more aware of the spam, MS Office 2010, 2013, 2016, 365 upgraded their security and companies started investing into anti-spyware tools, this technique was replaced by the exploit kits.

In early January 2018, SmokeLoader used fake Meltdown and Spectre bug patches which cause a lot of damage in Germany, even though German government was warned about the phishing campaign. Later this year in March, Microsoft, nearly to 500,000 users were infected by the Dofoil dubbed trojan (same SmokeLoader) which used BitTorrent’s client MediaGet to get victims and install the Monero crypto miner. (More on Hackernews.com)

Now in July 2018, a trojan is back with PROPagate on the Explorer. The technique that cryptocurrency miners are delivered by Rig Exploit Kit operators. Together with this SmokeLoader still uses the spam emails.

After the victim opens the compromised program or attached Word document the system connects to http://89.248.169.136/ bigmac.jpg (detailed  to retrieve Smoke Loader which later brings plugins which finalize infecting a victim’s computer and starts tracking and sending sensitive personal data.

How to remove the SmokeLoader trojan infection

The best way to solve SmokeLoader is to avoid it at all costs. To always download the programs from official websites, not to open suspicious unknown emails, scan files with online antivirus programs before bringing to your computer, using a reliable antivirus program, following the safe internet.

Because SmokeLoader trojan still has the main functions and older processes from when it was created it is easily detected with a good, reliable antivirus, anti-malware program even before the download of the initiating file. What is more only an automatic tool can get rid of it from your computer. Therefore we offer you to invest into Spyhunter, Malwarebytes or some other product from the list that will help you clean your PC from the dangerous information stealing trojan.