Stealthy sLoad Downloader Executes Extensive Investigation to Improve Quality of Infected Hosts

October 28, 2018


A new PowerShell downloader has been found – the sLoad downloader – which is being utilized in silent, highly targeted attacks in the UK and Italy. The sLoad downloader executes a wide variety of tests to find out a lot of information regarding the system on which it lives, before picking the most suitable malevolent payload to install – if a payload is installed at all.

The sLoad downloader was first known in May 2018 when it was mainly being utilized to download the Ramnit banking Trojan, even though more lately it has been providing a much wider variety of malevolent payloads including DarkVNC, PsiBot, Ursnif, and Gootkit, as per safety scientists at Proofpoint who have been studying the danger.

The malware is assumed to be the work of a danger actor known as TA554 that Proofpoint has been following for over a year. sLoad is being utilized in extremely targeted attacks, chiefly in the United Kingdom and Italy, even though the group also often targets Canadian companies.

sLoad is part of a rising type of silent scripts that are being created to carry out silent attacks and upgrade the quality of infected hosts. Among the problems with infecting as many machines as possible is the attacks are loud and are quickly noticed, giving safety scientists a lot of time to study malware, add signatures to AV software, and create patches.

Although the spray and pray method of infecting as many end users as possible carries on, particularly by associates signed up to use ransomware-as-a-service, there has been an increasing tendency over the last few months of a much quieter type of malware – Malware that remains under the radar for longer and goes to great lengths to discover more about a system before attacks are started.

Infection mainly occurs through spam electronic mails, which are carefully created, written in the targeted nation’s language, and include tailored information such as the target’s name and address to add reliability. The most usual subjects and message themes are missed package deliveries and purchase orders, which are thorough in documents attached to the electronic mails. Hyperlinks are also used to link to zip files having the documents. The documents have malevolent macros that introduce PowerShell scripts, which download the sLoad downloader.

The threat group broadly uses geofencing at all points in the infection chain. This limits infection to particular places as well as orders what actions are taken when a host is infected. This is specifically important when the final payload is a banking Trojan. Banking Trojans aim country-specific banks and use particular web injects for those attacks.

The sLoad downloader tests to decide if certain safety procedures are running on a system, and will leave if those procedures are found. A list of all running procedures will be gathered and sent back to its C2 server together with details of Citrix-related.ICA files, Outlook files, and a wide variety of other system information. sLoad will also test browsing histories to decide whether the user has earlier visited banks that are being targeted and will report back on its outcomes.

If the infected appliance has been used to access a banking website that Ramnit is aiming, the banking Trojan will be downloaded, even though other malware variations can also be delivered depending on the information found during the reconnaissance phase.

“sLoad, like other downloaders we have profiled lately, fingerprints infected systems, letting threat actors better select targets of interest for the payloads of their choice,” wrote Proofpoint. “Downloaders, although, like sLoad, Marap, and others, provide high degrees of flexibility to threat actors, whether avoiding seller sandboxes, sending ransomware to a system that seems mission critical, or sending a banking Trojan to systems with the most likely return.”