What is Smoke Loader? New Booby-Trapped Microsoft Word Files Can Infect Your Computer

The cybersecurity division of technology company Cisco has warned that a malicious application that infects computers using booby-trapped Microsoft Word files has learned new tricks.

Researchers from the outfit, known as Talos, said today that notorious software, code named "Smoke Loader," was among the first payloads to use an injection technique known as PROPagate in a real-world scenario. PROPagate, discovered in October 2017, is a new way of targeting Windows machines. Cyber experts said they had been tracking the new variant for "the past several months."

Smoke Loader is typically used by hackers as a "downloader" in cyberattacks, with the initial infection vector being an email containing a malware-ridden Word document. If a victim opens the attachment it will drop and execute additional malware. This can include ransomware, which locks system files and demands money, or cryptomining tools, which compromise a computer's processing power to create various forms of virtual currency.

The latest campaign was no different, Talos said. In a Tuesday blog post, researchers Ben Baker and Holger Unterbrink said the aim was to steal data and email login details from the victim's PC, specifically targeting sensitive information transferred over a web browser, including Windows credentials.

Cisco Talos
Smoke Loader received "five interesting plugins" instead of additional payloads, Talos revealed. The majority targeted browser data—Firefox, Chrome and Internet Explorer—including passwords. iStock

The email lure containing the fake attachment was titled "Your Sage subscription invoice is due" and attempted to fool victims into opening the payment request, in a long-tested, and effective, technique.

One click is all it needs to take effect. Once it is opened, the Sage-branded invoice warns: "Macros have been disabled. The document you are attempting to open requires macros to be abled. Please click the "Enable Content" button for properly displaying this document." In one case, Talos found that it had downloaded the "Trickbot" trojan, which is a well-documented form of banking malware.

Smoke Loader received five plugins instead of additional payloads, Talos revealed. At least two targeted browser data—Firefox, Chrome, Edge and Internet Explorer—including credentials.

"We have seen that the trojan and botnet market is constantly undergoing changes," the researchers wrote in their joint advisory this week. "The players are continuously improving their quality and techniques. They modify these techniques on an ongoing basis to enhance their capabilities to bypass security tools. This clearly shows how important it is to make sure all our systems are up to date."

Yet even as cybercriminals develop covert software, Talos said there are ways to stay safe.

"We strongly encourage users to follow recommended security practices, such as installing security patches as they become available, exercising caution when receiving messages from unknown third parties, and ensuring that a robust offline backup solution is in place," it said. "These practices will help reduce the threat of a compromise and should aid in the recovery of any such attack."

To other researchers, Smoke Loader is known as "Dofoil." In March, Microsoft stopped an attack that attempted to infect hundreds of thousands of computers with cryptomining software.

Additionally, two months before the March attack in January, compromised patches for two well-publicized CPU bugs—dubbed "Spectre" and "Meltdown"—were found by anti-virus firm Malwarebytes to contain the Smoke Loader application.