Full Report
An alleged operator of the SmokeLoader malware is now facing federal hacking charges in Vermont after accusations that he stole personal information on more than 65,000 people.
Analysis Summary
# Threat Actor: Nicholas Moses (scrublord)
## Attribution & Identity
The individual identified is **Nicholas Moses**, operating under the alias **“scrublord.”** He is accused of being an operator of the SmokeLoader malware and has been charged federally in Vermont. The article also mentions that the SmokeLoader pay-per-install botnet was previously operated by an actor known as **‘Superstar’**, though direct linkage between Moses and ‘Superstar’ is not explicitly confirmed beyond Moses operating the malware.
## Activity Summary
Nicholas Moses is accused of deploying the **SmokeLoader malware** from at least **January 2022 to May 2023** to harvest personal information and passwords from victims. Prosecutors allege that over 65,000 victims globally had their data stolen. Moses allegedly maintained a Command and Control (C2) server in the Netherlands during this period to deploy the malware and receive stolen data. Specific activities include:
* Providing usernames and passwords for video-on-demand streaming services acquired via the SmokeLoader infostealer in a November 30, 2022 incident.
* Claiming to have acquired over "half a million stealer logs."
* Selling stolen victim credentials and passwords for approximately **$1 to $5 each**.
## Tactics, Techniques & Procedures
- Malware deployment via the **SmokeLoader** malware.
- **Information Stealing**: Harvesting personal information and passwords.
- **Data Exfiltration**: Receiving stolen data via the C2 server.
- **Monetization**: Selling high volumes of stolen credentials on underground markets.
- **Functionality of SmokeLoader**: Operates as a loader, but capable of credential theft, DDoS attacks, and keystroke interception (based on general malware description).
- **MITRE ATT&CK IDs**: Not explicitly provided in the text, however, T1560 (Archive Collected Data) and T1056 (Input Capture: Exfiltration Over C2 Channel) would likely apply regarding the data handling.
## Targeting
- **Sectors**: Financial institution (specifically one FDIC-insured bank named in initial filings) and users of video-on-demand streaming services.
- **Geography**: Victims mentioned globally ("Thousands of computers around the world"), with C2 infrastructure located in the **Netherlands**.
- **Victims**: Individuals whose personal information and passwords were stolen; one specific victim named is a **Charlotte-based FDIC-insured financial institution**.
## Tools & Infrastructure
- **Malware families used**: **SmokeLoader** (described as a loader capable of credential theft).
- **Infrastructure (C2, domains, IPs)**: Maintained a **Command and Control server located in the Netherlands** from Jan 2022 to May 2023.
## Implications
The case highlights the scale and profitability of malware-as-a-service distribution like SmokeLoader, demonstrating that operators can monetize stolen credentials individually for significant recurring income. The US indictment signals significant international law enforcement focus on the downstream customers and operators of major droppers, following the broader **Operation Endgame** efforts by Europol.
## Mitigations
- Implement robust endpoint detection and response (EDR) solutions capable of detecting and blocking known malware strains like SmokeLoader.
- Enforce multi-factor authentication (MFA) across all critical services, especially financial and streaming accounts, to negate the value of stolen credentials.
- Monitor and disrupt known C2 infrastructure associated with malware loaders (though specific infrastructure is not listed here beyond location).