New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


sLoad 2.0 Malware

After details of the sLoad malware were exposed in a Microsoft report last month, the authors of the malware have released a new version this month, dubbed Starslord or sLoad 2.0. The new variant doesn’t change much but it does show that malware developers are capable of evolving their products quickly. The main purpose of sLoad is to infect Windows PCs, gather information and send the information to a command and control (C&C) server, then wait for instructions to download and install secondary malware payloads. sLoad, like so many other malware droppers, exists as a “pay-per-install” delivery system for more potent and dangerous programs. One of the notable aspects of sLoad is that it uses the built-in Microsoft Background Intelligent Transfer Service (BITS) to communicate with its C&C servers. BITS is used by Windows to download updates whenever the computer’s network connection is idle. The initial infection vector is a zip file that is sent via email, containing a Windows Scripting File (WSF) script that creates a BITS job to download a PowerShell script. The PowerShell script is then executed using a scheduled task. This is a technique known as “living off the land” because it uses scripts and tools built into Windows, instead of compiled executable files, to evade anti-virus detection. 

Analyst Notes

The Microsoft team was capable of exposing sLoad last month and again this month with the new 2.0 version. These reports are extremely damaging to the malware authors because they expose their defense evasion techniques, which allows defenders to better protect their systems. The best defense against threats that “live off the land” using built-in binaries and scripts is for skilled analysts to monitor Endpoint Detection and Monitoring (EDR) to detect suspicious scripts, scheduled tasks, BITS jobs and other signals of potential attacker behavior. The Security Operations Center analysts at Binary Defense analyze events from monitored endpoints 24 hours a day, 7 days a week to discover advanced threats that attempt to evade detection. Due to the constant research and development of anti-virus programs, it is advised to keep that software updated to the newest signature definitions to help defend a system.