Malware: SMOKEDHAM

Description

[SMOKEDHAM](https://attack.mitre.org/software/S0649) is a Powershell-based .NET backdoor that was first reported in May 2021; it has been used by at least one ransomware-as-a-service affiliate.(Citation: FireEye Shining A Light on DARKSIDE May 2021)(Citation: FireEye SMOKEDHAM June 2021)

External References

• mitre-attack
• FireEye SMOKEDHAM June 2021
• FireEye Shining A Light on DARKSIDE May 2021

Techniques Used by This Malware

• T1027.009 — Embedded Payloads
• T1033 — System Owner/User Discovery
• T1041 — Exfiltration Over C2 Channel
• T1056.001 — Keylogging
• T1059.001 — PowerShell
• T1071.001 — Web Protocols
• T1082 — System Information Discovery
• T1087.001 — Local Account
• T1090.004 — Domain Fronting
• T1098.007 — Additional Local or Domain Groups
• T1102 — Web Service
• T1105 — Ingress Tool Transfer
• T1112 — Modify Registry
• T1113 — Screen Capture
• T1132.001 — Standard Encoding
• T1136.001 — Local Account
• T1204.001 — Malicious Link
• T1547.001 — Registry Run Keys / Startup Folder
• T1564.002 — Hidden Users
• T1573.001 — Symmetric Cryptography
• T1598.003 — Spearphishing Link