For this PUP Friday post, we’re going to look into PUPs that we can simply classify as “Downloaders”. We have sampled a bundler offering the program called Internet Download Manager, which is capable of downloading other files we detect as PUP and connects to sites leading to suspicious destinations.
This time we will have a look at another payload from recent RIG EK campaign. It is Smoke Loader (also known as Dofoil), a bot created several years ago. One of its early versions was advertised on the black marker in 2011.
Read on to learn how the latest downloaders used to deliver Locky ransomware and show how to statically decipher their hidden URLs.