A study by TRAC Labs reveals details about a backdoor called “SMOKEDHAM”, a malicious tool used by hacker UNC2465. The financially motivated attacker has been in action since 2019, the SMOKEDHAM tool plays a main role in sophisticated extortion and launching ransomware attacks, making UNC2465 the most adaptive and persistent threat group in the cybersecurity environment.

About Smokedham malware

SMOKEDHAM is a highly adaptable backdoor planted through trojanized software installers and strives via malvertising campaigns. “UNC2465 has leveraged trojanized installers disguised as legitimate tools, such as KeyStore Explorer and Angry IP Scanner, to deliver SMOKEDHAM payloads,” says TRAC Labs.

Once deployed, SMOKEDHAM allows hackers initial entry to a victim’s device, making way for network surveillance, later movements, and deploying ransomware. If we look back, SMOKEDHAM has links with DARKSIDE ransomware, and UNC2465 has now shifted focus to Lockbit ransomware.

When infecting the target system, SMOKEDHAM uses stealthy techniques, this includes DLL side-loading and PowerShell obfuscation. 

Important steps in the infection process include: 

Manipulating Service: The backdoor changes configurations of Windows services like MSDTC to maintain presence and exploit privileges. “The purpose of running these commands is to later DLL side-load the binary named oci.dll retrieved from the C2 server.”

Trojanized Installers: Distributed through famous platforms like Google Ads, these trojan installers may look legit but contain a malicious SMOKEDHAM payload.

Registry and Batch Script Modifications: Infected scripts run payloads, and configure registry keys for maintaining presence, and also make PowerShell commands for obfuscation. 

For post-campaign activities, the attacker uses:

1. Using tools such as Advanced IP Scanner and Bloodhound to track valuable targets in a compromised network. 

2. Credential Harvesting: Extracting login credentials for future exploitation. 

3. Escaping Firewall: Using NGROK to leak internal services like RDP to the web, evading network defenses. 

“Approximately 6 hours after the execution of the malicious binary on the beachhead host, the threat actors moved laterally to the Domain Controller using WMI,” says TRAC labs.

The SMOKEDHAM backdoor is a living example of sophisticated cyber threats corrupting the cybersecurity industry, with its advanced tools for surveillance, network infiltration, and persistence.