Threat Database Trojans SmokeLoader


By GoldSparrow in Trojans

Threat Scorecard

Threat Level: 80 % (High)
Infected Computers: 5,826
First Seen: December 15, 2012
Last Seen: February 2, 2022
OS(es) Affected: Windows

Criminals can use a data collector Trojan named Smoke Loader to collect information from a victim's computer. Computer users working for large businesses or organizations seem to be the targets of SmokeLoader attacks, often attempting to collect important data or gain access to a network or servers in search of a large payout. It seems that criminals can develop custom versions of SmokeLoader to carry out specific attacks depending on the target and the needs of the attackers. SmokeLoader was installed on the victim's computer in association with a different Trojan, TrickBot, which is used to carry out the initial phase of the attack. It seems that the initial phase of the attack comes from a corrupted Microsoft Word document attached to a spam email message, which will often use embedded macro scripts to download and install TrickBot and then SmokeLoader onto the victim's computer.

There’s no Smoke to Cover a SmokeLoader Attack

SmokeLoader is designed in a modular way, which allows criminals to customize it for a variety of purposes. The most common use for SmokeLoader is for collecting credentials from the infected computers. SmokeLoader can be used to collect information and credentials from a wide variety of software sources and locations on the targeted computer. Criminals can easily expand on the SmokeLoader attack or update this threat through its modules. SmokeLoader will exploit several known vulnerabilities in the Windows operating system, making it essential that computer users ensure that their machines are protected with all the latest security patches and updates from Microsoft and their software's developers properly. SmokeLoader seems to target vulnerabilities in the Windows Explorer, which have been patched in 2018 (although many computer users are still unprotected). SmokeLoader is capable of detecting whether it is running in a virtual environment or similar computer used by PC security researchers to study threats like SmokeLoader, apart from carrying out its attack.

How SmokeLoader Carries Out Its Attack

There are numerous modules that can be used in the SmokeLoader attack. SmokeLoader has four major plugins that can be used to carry out different attacks currently:

  1. The first SmokeLoader plugin includes more than two thousand functions and allows criminals to collect passwords and credentials from a wide variety of programs, including Web browsers, FTP clients, email clients, and numerous other popular programs.
  2. The second SmokeLoader plugin is used to search for files on the infected computer, and can be used to collect these files and upload them to a remove server.
  3. The third SmokeLoader plugin associated with SmokeLoader will copy Web browser copies and can intercept HTTP and HTTPS.
  4. The fourth major plugin associated with SmokeLoader will attempt to collect credentials from various data transfer protocols, including IMAP, POP3, SMTP, and FTP, and can be used to collect files and emails received by the affected computer.

Dealing with a SmokeLoader Infection

SmokeLoader carries out a highly-effective data collecting attack on the victim's computer and is considered a serious danger to the victims' data and privacy. SmokeLoader is a sophisticated threat that can be used against high-level targets such as businesses and government organizations. SmokeLoader can be used for espionage, as well as other operations. SmokeLoader can move through a network and spread within a computer or from one computer to another when operated by the criminals from a remote location. The best protection against threats like SmokeLoader includes having strong security software, strong policies for computer access, and strong passwords. Since threats like SmokeLoader tend to exploit vulnerabilities in Windows and software, it is important to have protocols for updating and keeping all software and operating systems up-to-date at all time with the latest security patches.

SpyHunter Detects & Remove SmokeLoader

File System Details

SmokeLoader may create the following file(s):
# File Name MD5 Detections
1. haveurse.exe 7ae3cee8c55e38122a8fc04c7a65ad09 5,179
2. atx222.exe 7a2323d5dac16e3063b6c53d5dc51ab4 7
3. file.exe 3b2ac28bad7dc336ec67851099a86221 0
4. file.exe a34ad9fadd373ce0f46b1c0497758577 0
5. file.exe 95394ac344aef9adb66e4d2ec662df03 0


Most Viewed