A notorious downloader malware named Smoke Loader has been in use since 2011 but has seen a spike of activity in 2018, including a brand-new method of spreading malware on a Windows system. One of its more widespread and insidious deployments earlier this year found the malware hiding in phony patches for the Meltdown and Spectre vulnerabilities. But just this week, researchers discovered Smoke Loader using a new injection technique known as PROPagate.
The new method abuses the SetWindowsSubclass function to take control of the Windows system, and it has the ability to cover its own tracks. The malware also has built-in defenses designed to complicate any attempt to forensically analyze, scan, or debug the malicious program. “Cybercrime is a very profitable business,” says Avast Security Evangelist Luis Corrons. “Cybercriminals have professionalized, and this is a great example. They keep up to date with any new techniques that are discovered and implement it in their attacks, always with the same goal: trying to evade all the security layers that the user has in place to steal his information.” Avast urges everybody to understand how to identify and avoid phishing and to keep all their software updated.