VERY IMPORTANT

On the 21st of February 2019 FoxIT noticed SmokeLoader, a popular bot used to install additional malware on infected machines for a fee, push a task in order to distribute a .NET malware sample. Further research on the sample revealed a bot with a modular nature and capabilities, such as stealing data from infected hosts as well as receiving download & execute tasks. Our interest was further peaked when the Spelevo Exploit Kit started distributing the same malware on the 16th of March at which point we decided to further investigate this piece of malware, resulting in the findings below. Having seen it evolve since 2017 to now getting out from beta versioning, we observe its being distributed by multiple infection vectors, such as exploit kits and malware loaders.