After details of the sLoad malware were exposed in a Microsoft report last month, the authors of the malware have released a new version this month, dubbed Starslord or sLoad 2.0. The new variant doesn’t change much but it does show that malware developers are capable of evolving their products quickly. The main purpose of sLoad is to infect Windows PCs, gather information and send the information to a command and control (C&C) server, then wait for instructions to download and install secondary malware payloads. sLoad, like so many other malware droppers, exists as a “pay-per-install” delivery system for more potent and dangerous programs. One of the notable aspects of sLoad is that it uses the built-in Microsoft Background Intelligent Transfer Service (BITS) to communicate with its C&C servers. BITS is used by Windows to download updates whenever the computer’s network connection is idle. The initial infection vector is a zip file that is sent via email, containing a Windows Scripting File (WSF) script that creates a BITS job to download a PowerShell script. The PowerShell script is then executed using a scheduled task. This is a technique known as “living off the land” because it uses scripts and tools built into Windows, instead of compiled executable files, to evade anti-virus detection.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased