Operation Endgame: Up In Smoke

May 30, 2024, 6:04 p.m.

Description

A detailed technical analysis of Smoke malware loader, also known as SmokeLoader or Dofoil, which has been operational since 2011. Smoke is primarily used to deliver second-stage malware payloads like trojans, ransomware, and information stealers, and can also deploy custom plugins for various malicious activities. The analysis covers Smoke's persistence mechanisms, network communication, and remote cleanup process, and how the international law enforcement operation 'Endgame' disrupted its infrastructure and remotely uninstalled the malware.

External References

https://www.zscaler.com/blogs/security-research/operation-endgame-smoke
https://otx.alienvault.com/pulse/6658bd75d4233dffface6037
Tags
smokeloader
2024-05-30
operation endgame

Date

  • Created: May 30, 2024, 5:55 p.m.
  • Published: May 30, 2024, 5:55 p.m.
  • Modified: May 30, 2024, 6:04 p.m.

Indicators

  • vacantion18ffeu.cc
  • whxzqkbbtzvdyxdeseoiyujzs.co
  • trybobry.com.ua
  • trad-einmyus.com
  • nidoe.org
  • humman.art
  • gxutc2c.com
  • kkudndkwatnfevcaqeefytqnh.top
  • bethesdaserukam.org
  • galandskiyher5.com
  • akmedia.in
  • servermlogs27.xyz
Download all indicators here!

Attack Patterns

  • SmokeLoader
  • T1060
  • T1136
  • T1548
  • T1070
  • T1574
  • T1547
  • T1543
  • T1566