1. Home
  2. Software
  3. SMOKEDHAM

SMOKEDHAM

SMOKEDHAM is a Powershell-based .NET backdoor that was first reported in May 2021; it has been used by at least one ransomware-as-a-service affiliate.[1][2]

ID: S0649
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 22 September 2021
Last Modified: 14 April 2023
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1090 .004 代理: Domain Fronting

SMOKEDHAM has used a fronted domain to obfuscate its hard-coded C2 server domain.[2]
Enterprise T1598 .003 信息钓鱼: Spearphishing Link

SMOKEDHAM has been delivered via malicious links in phishing emails.[1]
Enterprise T1112 修改注册表

SMOKEDHAM has modified registry keys for persistence, to enable credential caching for credential access, and to facilitate lateral movement via RDP.[2]
Enterprise T1136 .001 创建账户: Local Account

SMOKEDHAM has created user accounts.[2]
Enterprise T1573 .001 加密通道: Symmetric Cryptography

SMOKEDHAM has encrypted its C2 traffic with RC4.[2]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

SMOKEDHAM has used reg.exe to create a Registry Run key.[2]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

SMOKEDHAM can execute Powershell commands sent from its C2 server.[2]
Enterprise T1113 屏幕捕获

SMOKEDHAM can capture screenshots of the victim’s desktop.[1][2]
Enterprise T1071 .001 应用层协议: Web Protocols

SMOKEDHAM has communicated with its C2 servers via HTTPS and HTTP POST requests.[2]
Enterprise T1132 .001 数据编码: Standard Encoding

SMOKEDHAM has encoded its C2 traffic with Base64.[2]
Enterprise T1027 .009 混淆文件或信息: Embedded Payloads

The SMOKEDHAM source code is embedded in the dropper as an encrypted string.[2]
Enterprise T1204 .001 用户执行: Malicious Link

SMOKEDHAM has relied upon users clicking on a malicious link delivered through phishing.[1]
Enterprise T1082 系统信息发现

SMOKEDHAM has used the systeminfo command on a compromised host.[2]
Enterprise T1033 系统所有者/用户发现

SMOKEDHAM has used whoami commands to identify system owners.[2]
Enterprise T1102 网络服务

SMOKEDHAM has used Google Drive and Dropbox to host files downloaded by victims via malicious links.[1]
Enterprise T1087 .001 账号发现: Local Account

SMOKEDHAM has used net.exe user and net.exe users to enumerate local accounts on a compromised host.[2]
Enterprise T1098 .007 账号操控: Additional Local or Domain Groups

SMOKEDHAM has added user accounts to local Admin groups.[2]
Enterprise T1105 输入工具传输

SMOKEDHAM has used Powershell to download UltraVNC and ngrok from third-party file sharing sites.[2]
Enterprise T1056 .001 输入捕获: Keylogging

SMOKEDHAM can continuously capture keystrokes.[1][2]
Enterprise T1041 通过C2信道渗出

SMOKEDHAM has exfiltrated data to its C2 server.[2]
Enterprise T1564 .002 隐藏伪装: Hidden Users

SMOKEDHAM has modified the Registry to hide created user accounts from the Windows logon screen. [2]

References

  1. FireEye. (2021, May 11). Shining a Light on DARKSIDE Ransomware Operations. Retrieved September 22, 2021.
  1. FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021.