Monday 5 August 2019

Smokeloader's Hardcoded Domains - Sneaky Third Party Vendor or Cheap Buyer?

Smokeloader is a small modular bot first seen in 2011 [1] mainly used as a dropper for other malware families. Although mainly used for delivering a second stage stage, Smokeloader implements several malicious capabilities through its modules, such as: keylogging, process monitoring, DDOS, DNS redirection and form grabbing. These modules are often used for profiling and accessing infected machines before deploying a final malware increasing effectiveness of campaigns.  

- So here comes the main story -

Last week I saw a tweet [2] with an image of this server hosting few quite large executables (~1.2MB) claimed to be Smokeloader samples. These binaries were accessible through an Open Directory.

Figure 01: Open Directory exposing modified Smokeloader samples.

Along the 30th and 31st of July these files were changed few times. Here are the hashes found and analysed during the time of this research:

What caught my attention was that the controller contacted by these samples were different from the ones extracted by using public knowledge on this malware family [3].

Figure 02: Network capture showing HTTP connection to hardcoded controller.

Although extractor returns "hxxp://185.35.137[.]147/mlp/" as controller URL the sample tries to connect to "hxxp://jnanny2[.]pw/br/". This means that something modified the way controller URLs are stored. So we decided to reverse one of these samples and check what was going on.

Although all these samples have the same anomalous behaviour, we picked up "joibr.exe" for experimenting (from now one called "target sample").

Target sample is based on the 2018 version of Smokeloader since it sends 63 bytes of data to the controller and open source configuration extraction code for this specific version are able to retrieve the configuration correctly.

In order to compare what was changed, a 2018 Smokeloader sample [4] behaving like expected was also reversed (called "normal" sample from now on in this article). This sample tries to connect to "hxxp://ymad[.]ug/" which is exactly the same address observed in the config.

The following code shows the first part of the URL decryption routine for our normal sample:

Figure 03: First part of C2 URL decryption routine of a normal 2018 Smokeloader sample

Summarising, this code iterates through an array of pointers where its index is stored in a variable named "C2_index". Each pointer in this array points to a blob of data containing an encrypted URL which will be used as controller. This same code could be found in the target sample.

Figure 04: First part of C2 URL decryption routine of a modified 2018 Smokeloader sample

As we can see both routines are identical with one single difference: the label given to the addresses in the jump instruction at the bottom of the last basic block. If we keep reversing,  the normal sample jumps to the second part of the decryption code which decrypts data passed as parameter through ECX and returns a plain-text URL.

Figure 05: Second part of C2 URL decryption routine of a normal 2018 Smokeloader sample

This code basically allocates a buffer, decrypts the URL and returns a pointer to it.

Now comes the interesting part - for the target sample we got the following code as second part of the decryption routine.

Figure 06: Hardcoded C2 address of a modified 2018 Smokeloader version.

As we can see this routine has the "real" controller URL hardcoded together with the code. We can also note some evidences pointing that this code is kind of handcrafted (e.g. that "$+5" trick to get the address of the string).

Another really interesting characteristic is that this code is EXACTLY the same size of the original encryption function (82 bytes). This is a strong evidence that the original code has been patched.

This patch makes sense in order to bypass the business model of this family as Smokeloader developer also monetises by selling re-builds. This means that every time a buyer wants to change C2s URLs they have to contact the developer and pay for a new build (30 USD).
- BOT - 400$ 
- STEALER - 100$
- FAKE DNS - 100$
- DDOS - 200$
- HIDDEN TV - 150$
- PROCMON - 50$
- ребилд бота - 30$ (ребилды делаются в случае блокировки основного адреса, либо "про запас", если я буду отсутствовать более недели)
- обновления: мелкие фиксы - бесплатно, остальное обговаривается отдельно

So this leave us with three hypotheses:
  • Someone got tired of paying the 30 USD;
  • Someone decided to cut off the delay of contacting the author (in order to update C2 addresses within samples); or
  • Someone is planning to create a new builder and re-sell the malware for a cheaper price. :D
Now that we have more or less a picture on what is going on I decided to retro hunting samples presenting similar characteristics. I could find few Smokeloader 2017 samples doing the same trick dating since February 2018. This modified version has been around for some time and has co-existed with the official one. Figure 07 shows the same technique being used in a 2017 sample.

Figure 07: C2 address of a modified 2017 Smokeloader version.

Encrypted payload containing "hxxp://dogewareservice[.]ru/" is present in the sample and decryption function was patched to return a hardcoded controller address ("hxxp://haxmall[.]in/s/").

- Conclusions -

This move does not disrupt the business as this side version of Smokeloader is frozen in version 2018 and Smokeloader's official developer continues improving the malware. According to our retro hunting, both modified and official versions of Smokeloader have been co-existing for some time without any issue. Finally, there is a possibility that new vendors will show up selling modified versions of this malware by a fraction of its original price and take some market share.

[01] hxxp://grandsinarsari[.]com/av/ (hosting Smokeloader samples)
[02] hxxp://www.confezionamento-viti[.]it/img/1/ (hosting Smokeloader samples)
[03] 6632e26a6970d8269a9d36594c07bc87d266d898bc7f99198ed081d9ff183b3f  (Smokeloader)
[04] 1cea3a87500fdc933aa64cc45373034b1da6921644640106cd56483aa758b3bf  (Smokeloader)
[05] 501675053b0d4ba02477900a5b28829e2f009f68dffc044d51ba3d2c61c042b9  (Smokeloader)
[06] 8d40fb9983050026c86277d9443d384e1a1aee92582cc2e61415fa6a3a0b4c99  (Smokeloader)
[07] 065871459fa254daa362564b70ea4357bb197ef04cfee8de7426cfdf480e4a78 (Smokeloader)
[08] hxxp://185.35.137[.]147/mlp/ (Smokeloader C2)
[09] hxxp://jnanny2[.]pw/br/ (Smokeloader C2)
[10] hxxp://dogewareservice[.]ru/ (Smokeloader C2)
[11] hxxp://haxmall[.]in/s/ (Smokeloader C2)