This content has been archived
This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk
Summary
Affected platforms
The following platforms are known to be affected:
Threat details
Fraudulent updates purported to be from the German Federal Office for Information Security (BSI) have been used as a delivery mechanism for the malware. These patches claim to fix the recent Intel vulnerabilities and as such are likely to receive greater attention by users, increasing the chance they will interact with the malware.
Once downloaded, the malware injects itself into explorer.exe before communicating with its Command and Control Server (C2) server in order to install the latest version of itself. These updated samples are packaged using a different encryption scheme to make detection harder, before being stored in a hidden &APPDATA% subfolder.
Smoke Loader will attempt to maintain persistence through the addition of new registry keys and uses partially encrypted code with redundant jumps as an anti-forensics tool. It also performs environment checks to avoid being executed in a controlled environment and will ensure network connection by connecting to various legitimate sites before initiating C2 communications.
Remediation steps
Last edited: 11 January 2022 11:49 am