Researchers at Cyble Research and Intelligence Labs (CRIL) reported a new malware strain named SmokeLoader. The researchers claim that the malware might be related to popular malware strains, such as the SystemBC and Raccoon Stealer 2.0. It is also believed that the new malware is also associated with cryptocurrency stealer Laplas Clipper. 

The researchers identified over 180 malware samples in the last two weeks, which indicates that the malware has been used widely in several campaigns by threat actors. Interestingly, SmokeLoader is also being used by actors who download and install more malware into the victim’s systems. 

Smoke Loader, a malicious bot program, is a popular malware loader in the malware markets. Moreover, it is infamous for using deceit and self-defense. Since 2011 or before, Smoke Loader has been spotted in the wild, carrying a variety of unusual payloads. In most cases, the SmokeLoader is disseminated through spam emails, targeted spear-phishing attacks, or malicious Word/PDF documents.

Once executed, the malware loader injects a malicious code into the “explorer.exe” process and downloads additional malware to infiltrate the victim’s devices. The threat actor uses these URLs  to install the malware: 

• hxxp[:]//45.83.122[.]33/admin/wevtutil[.]exe – SystemBC RAT
• hxxp[:]//45.83.122[.]33/admin/Microsoft.AppV.AppVClientWmi[.]exe – RecordBreaker (Raccoon Stealer 2.0)
• hxxp[:]//45.83.122[.]33/admin/avicap32[.]exe – Laplas Clipper

A close look at Laplas Clipper malware 

According to CRIL, Laplas Clipper uses multiple tools and services to attack its victims. For starters, it uses SystemBC, a comprehensive Proxy and Remote Administrative Tool (RAT), to control the victim’s computers and inject malicious codes and malware. The threat actors can then steal user login information, including usernames, passwords, crypto data, and credit card details. 

The researchers claim that the Clipper family of malicious programs specifically targets cryptocurrency users. It uses a standardized method for targeting its victims, which usually begins by swapping the victim’s wallet address with TA’s address. Since crypto is still a decentralized online currency, hackers can transfer the stolen amount to any of their accounts.

Moreover, researchers also noted that malicious actors can perform this swap by monitoring the “clipboard of the victim’s system, where copied data is stored.” So, whenever a user copies data, the clipper becomes active and collects any addresses or log in details in the clipboard.

Once the data is located, the threat actor replaces it with a different wallet address. As Laplas uses modern malware techniques, it generates a similar wallet address that tricks users into thinking that the address is correct.