SmokeBuster Tool

Nov. 5, 2024, 10:03 a.m.

Description

ThreatLabz has developed SmokeBuster, a tool to detect, analyze, and remove SmokeLoader malware from infected systems. Despite Operation Endgame's disruption in May 2024, SmokeLoader continues to be used by threat groups. SmokeBuster supports various SmokeLoader versions and Windows systems, offering features like uninstallation, thread control, and memory manipulation. The tool revealed bugs in recent SmokeLoader versions that significantly degrade system performance. These flaws stem from persistence implementation, infection checks, and inadequate thread and memory cleanup. The bugs cause repeated injections and thread creation, leading to system slowdown over time. SmokeBuster's capabilities may accelerate SmokeLoader's decline, especially given its performance-degrading flaws.

External References

https://github.com/ThreatLabz/smokebuster/
https://www.zscaler.com/blogs/security-research/smokebuster-keeping-systems-smokeloader-free
https://otx.alienvault.com/pulse/6723f3a70cccae0a35c68ac1
Tags
windows
smokeloader
operation endgame
malware analysis
2024-10-31
thread manipulation
system performance
memory injection
dofoil
smokebuster

Date

  • Created: Oct. 31, 2024, 9:16 p.m.
  • Published: Oct. 31, 2024, 9:16 p.m.
  • Modified: Nov. 5, 2024, 10:03 a.m.

Attack Patterns

  • Dofoil
  • Smoke Loader - S0226
  • SmokeLoader
  • T1497
  • T1574
  • T1547
  • T1543
  • T1055
  • T1036
  • T1027
  • T1053
  • T1112
  • T1059