SmokeLoader’s Plugins>
– Stanislas Arnoud
The blog post is discussing the analysis of SmokeLoader’s plugins.
SmokeLoader is a malware that was originally designed to download and execute other malicious software on infected computers.
However, it has now evolved to include additional features, such as the ability to download and use plugins sent from its command and control (C&C) server.
These plugins enable attackers to steal important information from infected computers, either from the computer’s memory or from files stored on the system.
The blog post provides details about the structure and functionality of these SmokeLoader plugins.
It mentions that there are a total of 8 plugins, with 4 being 32-bit and the remaining 4 being 64-bit.
Among these plugins, there are unique functionalities observed in 5 of them, while the other 3 pairs of plugins have the same functionality but are implemented in both 32 and 64-bit versions.
When a plugin is received by the main module, it creates a new process, maps the plugin in memory, and sets three parameters for its entry point.
These parameters are similar to those used in DllEntryPoint and include the base address of the module, DLL_PROCESS_ATTACH, and a pointer to a malware-related data structure called the “plugin_struct.” This structure contains information such as the encryption key, bot ID, C&C server address, user agent, and more.
There are two main types of plugins discussed in the blog post:
1.
Plugins that steal data from disk: These plugins search for specific files on the infected computer’s disk and send them to the C&C server.
2.
Hook plugins: These plugins are injected into processes and directly steal data from the computer’s memory.
They achieve this by hooking key Windows APIs within the process’s memory, collecting the data, and sending it to the C&C server.
The blog post explains the process injection technique used by Hook plugins.
These plugins have a list of hardcoded process names that they look for running on the infected client.
For each process found, the plugin decrypts the raw bytes of the plugin that were passed by the main module, creates a section using NtCreateSection, maps the section in its own process and the target process using NtMapViewOfSection, and performs all the loading work on the mapped view.
Once the plugin has loaded sections and resolved the import address table, it applies relocations and finalizes the injection in the target process using LdrProcessRelocationBlock.
The plugin also maps a small trampoline and the plugin_struct in the target process, updates the necessary registers with appropriate values, and creates a remote thread in the target process to start the plugin’s execution.
The blog post also mentions that the plugins use hooking techniques to hijack the control flow of specific Windows APIs.
This is done by replacing the first few instructions of a function with a trampoline that jumps to the hooking function.
This allows the plugins to gather valuable information, such as arguments passed to the function, which can then be sent to the C&C server.
Finally, the blog post provides a summary of the analysis, emphasizing that SmokeLoader’s plugins enable attackers to steal information from web browsers and email clients.
The operators of SmokeLoader may sell different plugins, and not every botnet may have access to all of them.
Link: https://www.bitsight.com/blog/smokeloaders-plugins