SMOKEDHAM Backdoor Mimic As Legitimate Tools Leveraging Google Drive & Dropbox

UNC2465, a financially motivated threat actor, leverages the SMOKEDHAM backdoor to gain initial access to target networks, which are often delivered via phishing emails, trojanized software, or supply chain attacks, enabling persistence and lateral movement. 

Once in the network, UNC2465 utilizes tools like Advanced IP Scanner and BloodHound for reconnaissance, RDP for lateral movement, and Mimikatz for credential harvesting. 

The group has historically deployed DARKSIDE and LOCKBIT ransomware, but future operations may involve other ransomware families, as recent campaigns have focused on distributing SMOKEDHAM through malvertising and compromised software.

The attacker used an NSIS script to establish persistence and download malicious files, where the script first checks for a specific file and registry values to avoid redundant execution.

Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.

It then creates folders, downloads an archive with a password, and extracts legitimate tools (Angry IP Scanner) and malicious ones (Microsoft.AnyKey.lnk, Microsoft.AnyKey.exe, Wiaphoh7um.t, LogUpdate.bat). 

By modifying registry keys, it ensures the malicious shortcut runs on startup and configures the MSDTC service to run with high privileges for potential DLL side-loading. 

Finally, a batch script leverages PowerShell obfuscation to download and execute a malicious .NET payload from the C2 server, initiating communication for further commands.  

The kautix2aeX payload, written in .NET, uses a C2 server for communication, which registers itself with the C2 server upon initial infection, sending the victim’s computer name and user information. 

The C2 server can then send commands like “whoami” or “systeminfo” for reconnaissance or arbitrary commands for further actions, as the payload uses RC4 encryption and a random alphanumeric string appended to each message for obfuscation. 

According to TRAC Labs, it can also take screenshots and upload/download files, while the PowerShell version of the payload injects its C# code into memory for execution. 

Malicious actors are using EV certificates to sign executables containing additional files, which include aclui-2.dll and aclui.dll, both malicious DLLs containing PowerShell commands to execute hidden scripts (Wiaphoh7um.t and kautix2aeX.t). oleview.exe, a legitimate binary, is used to side-load the malicious aclui.dll. 

The NSIS script checks for domain membership and, if not joined, queries a specific Amazon EC2 instance, possibly as a diversion, while persistence is achieved by copying oleview.exe and the renamed aclui.dll along with a registry run key entry.  

The SMOKEDHAM actor used systeminfo and directory listing commands to gather information about the system and then downloaded a PowerShell script containing malicious instructions via a Dropbox link. 

The script created a directory in the ProgramData folder and downloaded additional files likely containing a modified winlogon.exe and a VNC configuration (UltraVNC.ini), also from Dropbox URLs. 

Finally, it launched the modified winlogon.exe, establishing a remote connection with an attacker-controlled server using UltraVNC over port 443, which suggests the attacker aimed for remote access and potential privilege escalation.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar