Smoke Gets in Your IR Process

Smoke Gets in Your IR Process

We were sitting around the campfire this week reading the latest Lastline Labs blogs post. We were ignited by some scorching questions regarding this shadowy malspam campaign. The burning issue on our minds was:

Why would Smoke Loader go to the trouble of gaining a foothold on a victim machine, install two different payloads, and then incinerate its own infection by installing a noisy ransomware payload that requires a backup to fix, cremating their foothold in a flash?

Smoke Loader IR Process 3

Two opposing opinions fanned the flames of the debate

Some of our researchers argued that the malspam botnet authors are cheating their pay-per-install customers. The malspam authors using Smoke Loader to deliver someone else’s payloads offer no guarantee of the duration of the infection. This means that the criminal group wanting the Zeus payload installed, or the criminal group with the cryptomining payload, pay the malspam operator using Smoke Loader a fee and once their malicious file is installed, the terms of the contract are met. Little do these criminal groups know, the ransomware payload subsequently installed is a time bomb that causes the imminent removal of their malicious files from the victims’ devices.

Clearly there is no honor among thieves

The second opinion argued that the installation of ransomware is the ultimate decoy for payloads that steal credentials and require the victim to take no action in order for the unauthorized access to systems. Smoke Loader and Zeus variants steal sensitive data. They don’t need to be resident for long periods of time, and finding them on systems only increases the chances of alerting the victim to take action. Planting a ransomware payload poisons the Incident Response (IR) process, causing security teams to focus on addressing the global imposter ransomware payload while remaining blind to the exfiltration of sensitive data that disappears in a cloud of smoke.

To unmask the real campaign, read our smokin’ Labs blog post.

Andy Norton

Andy Norton

Andy has been involved in cyber security best practice for over 20 years, specializing in establishing emerging security technologies at Symantec, Cisco and FireEye. In that time, he has presented threat and intelligence briefings for both Bush and Obama administrations, The Cabinet office, the Foreign and Commonwealth office, SWIFT, Swiss National Bank, Prudential Regulation Authority, the Bank of England, The Hong Kong Monetary Authority and NASA. Returning to Europe from Asia in 2011, he has spent the past 5 years helping many of the FTSE 250 companies measure, manage and respond to cyber incidents.
Andy Norton

Latest posts by Andy Norton (see all)