Delaware, USA – January 23, 2020 – Attackers very quickly released an updated version of sLoad after Microsoft published a detailed analysis of malware, and it seems that they will have to work on the update again. In mid-December, the Microsoft Defender ATP Research Team analyzed the multi-stage malware downloader known for several years whose operators sell access to infected systems to other attackers. The downloader is mainly used by small groups to distribute banking trojans, but with current trends, it can be used to deliver ransomware or cyberespionage tools. A few weeks after the publication, malware authors rolled out sLoad 2.0 (Starslord), which the Microsoft team quickly discovered and published a new report. Let’s see how quickly the third version of this malware will appear.
The malware downloader has attracted the attention of researchers with unusual techniques and excessive sophistication. sLoad misuses Windows BITS service for command-and-control communications, but unlike other malware abusing this service, it sets up BITS scheduled tasks not only to communicate with the C&C server but also to download the next-stage payloads and send screenshots to attackers. The malware authors are not indifferent to PowerShell scripts to provide fileless execution. The new version is only slightly different from its predecessor: attackers added anti-analysis features, the tracking of the stages of infection, and using WSF scripts instead of VB scripts. You can visit the MITRE ATT&CK section on Threat Detection Marketplace to learn more about BITS Jobs technique and find rules to detect misuse of BITS service: https://tdm.socprime.com/att-ck/?techniques%5B%5D=T1197