Operation Endgame: Up In Smoke

May 30, 2024, 6:04 p.m.

Description

A detailed technical analysis of Smoke malware loader, also known as SmokeLoader or Dofoil, which has been operational since 2011. Smoke is primarily used to deliver second-stage malware payloads like trojans, ransomware, and information stealers, and can also deploy custom plugins for various malicious activities. The analysis covers Smoke's persistence mechanisms, network communication, and remote cleanup process, and how the international law enforcement operation 'Endgame' disrupted its infrastructure and remotely uninstalled the malware.

Date

Published: May 30, 2024, 5:55 p.m.

Created: May 30, 2024, 5:55 p.m.

Modified: May 30, 2024, 6:04 p.m.

Indicators

vacantion18ffeu.cc

whxzqkbbtzvdyxdeseoiyujzs.co

trybobry.com.ua

trad-einmyus.com

nidoe.org

humman.art

gxutc2c.com

kkudndkwatnfevcaqeefytqnh.top

bethesdaserukam.org

galandskiyher5.com

akmedia.in

servermlogs27.xyz

Attack Patterns

SmokeLoader

T1060

T1136

T1548

T1070

T1574

T1547

T1543

T1566