A taste of our own medicine : How SmokeLoader is deceiving configuration extraction by using binary code as bait

A taste of our own medicine : How smokeloader is deceiving dynamic configuration extraction by using binary code as bait

Recently an interesting smoke loader sample caught my eye ,and moreover I had to put smoke loader monitoring under scrutiny , as my monitoring script found it hard to locate a live c2 . Then suddenly something strange I noticed on the dashboard , the output c2’s from the configuration extraction script and the generated pcap were different

pasted-image-10.png
Output From config extraction

pasted-image-14.png
Pcap generated output

Notice the subtle difference between two outputs ?

A configuration extraction script is essentially an instrumenting script ( using windbg or a memory acquisition tool) to extract configuration ( c2’s , keys , campaigns, etc ) from a running malware binary . It’s sole purpose is to capture a pattern in a binary to extract certain parameters like DWORD’s , constants or pointers to memory region . Generally there is a long sleep call between consecutive attempts to connects multiple c2’s , which is essentially a way though which it keeps its secondary c2’s hidden , as mostly only one of the few c2’s gets listed in a sandbox report .

The smoke loader configuration happens to be a list of c2’s and encryption keys ( DWORD )

pasted-image-16.png

This subroutine that generates a hidden c2, roughly translates to following stream in opcode .


33 C0 83 F9 02 0F 44 C8 89 0D 80 6C 00 10 8B 0C 8D E8 12 00 10

Extracting Numc2 and C2BufferArray ( encoded c2 list buffer) would be a matter of creating a regex

RegEx = \x33\xC0\x83\xF9(.)\x0F\x44\xC8\x89\x0D.{4}\x8B\x0C\x8D(.{4})

pasted-image-18.png

But unpacking a particular sample mentioned earlier , revealed another side of the story . Although the code to load encoded c2 buffer was there , but the coding routine was a clever choice of deception, which feeds a fake encoded c2 buffer , though decoded buffer is a valid http resource , but instead chooses to take the c2 buffer from a plain text value in between the subroutine
pasted-image-20.png

But the fact to notice is , not only it would fools scripts , but difference between the real and the fake c2 is so subtle , that it deceives the eyes of the beholder as well.

SmokeLoader has suffered considerably a lot due to immediate c2 takedown , its no surprise that they were looking for a quick and a smart way to tackle this problem , but seldom it goes unnoticed

 
17
Kudos
 
17
Kudos

Now read this

Understanding Neverquest Banking Trojan Polymorphic Engine

Neverquest packer uses polymorphic engine and junk code in its important subroutines. By using polymorphic engine to some extent static signature rules will fail. For example you can see the difference in between two main decoding... Continue →