Smoke Gets in Your IR Process

Smoke Gets in Your IR Process

We were sitting around the campfire this week reading the latest Lastline Labs blogs post. We were ignited by some scorching questions regarding this shadowy malspam campaign. The burning issue on our minds was:

Why would Smoke Loader go to the trouble of gaining a foothold on a victim machine, install two different payloads, and then incinerate its own infection by installing a noisy ransomware payload that requires a backup to fix, cremating their foothold in a flash?

Smoke Loader IR Process 3

Two opposing opinions fanned the flames of the debate

Some of our researchers argued that the malspam botnet authors are cheating their pay-per-install customers. The malspam authors using Smoke Loader to deliver someone else’s payloads offer no guarantee of the duration of the infection. This means that the criminal group wanting the Zeus payload installed, or the criminal group with the cryptomining payload, pay the malspam operator using Smoke Loader a fee and once their malicious file is installed, the terms of the contract are met. Little do these criminal groups know, the ransomware payload subsequently installed is a time bomb that causes the imminent removal of their malicious files from the victims’ devices.

Clearly there is no honor among thieves

The second opinion argued that the installation of ransomware is the ultimate decoy for payloads that steal credentials and require the victim to take no action in order for the unauthorized access to systems. Smoke Loader and Zeus variants steal sensitive data. They don’t need to be resident for long periods of time, and finding them on systems only increases the chances of alerting the victim to take action. Planting a ransomware payload poisons the Incident Response (IR) process, causing security teams to focus on addressing the global imposter ransomware payload while remaining blind to the exfiltration of sensitive data that disappears in a cloud of smoke.

To unmask the real campaign, read our smokin’ Labs blog post.