Search This Blog

Showing posts with label Downloader. Show all posts

Malware Sload Aiming Europe Again

 

Sload (also termed as Starslord loader) has proven to be one of the most destructive malware variants in recent years. It usually acts as a downloader, which is a computer virus that accumulates and exfiltrates data from an infected system in order to analyze the target and drop a more significant payload if the target is profitable. 

Sload has been active in Europe since at least 2018, with numerous vendors reporting assaults on targets in the United Kingdom and Italy. Instead of employing an executable or a malicious document to invade devices, the malware's developers have chosen to use scripts that are intrinsic to Windows operating systems such as VBS and PowerShell as an initial foothold, tricking users into executing them using spear phishing. 

The downloader is undergoing development and has gone through several iterations; the creator is continuously changing the first stage script but the main module remains basically unchanged. 

According to early reports, this virus downloads a PowerShell script, which then downloads and executes Sload, using a rogue LNK file (Windows shortcut). Later editions start with obfuscated WSF/VBS scripts that are frequently mutated to avoid detection by anti-virus software. The initial script used in attacks has a low VirusTotal score and is meant to get beyond complex security technologies like EDRs. 

This year, Minerva Labs has noticed Sload infections arriving from Italian endpoints. The script they found is an obfuscated WSF script that decodes a sequence of malicious commands and then secretly downloads and runs a remote payload in memory after being executed. 

The script does this by renaming legal Windows binaries, which is a straightforward evasion method. Both "bitsadmin.exe" and "Powershell.exe" are copied and renamed, with the former being used to download a malicious PowerShell script and the latter loading it into memory and executing it. 

The downloader's final payload varies, but it has been known to drop the Ramnit and Trickbot banking trojans, both of which are extremely dangerous malware that can lead to ransomware attacks. 

New Malware Downloader Spotted in Targeted Campaigns

 

In recent weeks, a relatively sophisticated new malware downloader has emerged that, while not widely distributed yet, appears to be gaining momentum. Malwarebytes researchers recently discovered the Saint Bot dropper, as they have termed it, being used as part of the infection chain in targeted campaigns against government institutions in Georgia. 

Saint Bot was discovered by researchers while investigating a phishing email containing a zip file containing malware they had never seen before. The zip file included an obfuscated PowerShell script disguised as a link to a Bitcoin wallet. According to Malwarebytes, the script started a chain of infections that led to Saint Bot being dropped on the compromised system. 

In each case, the attackers used Saint Bot to drop information stealers and other malware downloaders. According to the security vendor, the new loader is probably being used by a few different threat actors, implying that there are likely other victims. 

One of the information stealers that Saint Bot has noticed dropping is Taurus, a malware tool designed to steal passwords, browser history, cookies, and data from auto-fill. The Taurus stealer can also steal FTP and email client credentials, as well as system information such as configuration details and installed software. According to Malwarebytes, while Saint Bot mostly has been observed dropping stealers, the dropper is designed to deliver any malware on a compromised system. 

Malware droppers are specialized tools designed to install various types of malware on victim systems. One of the most notable recent examples of such malware is Sunburst, the tool that was distributed via poisoned SolarWinds Orion software updates to some 18,000 organizations worldwide. In that case, the dropper was specifically designed to deliver targeted payloads on systems belonging to organizations of particular interest to the attackers. 

Basically, the downloaders are first-stage malware tools designed to deliver a wide range of secondary and tertiary commodity payloads, such as ransomware, banking Trojans, cryptominers, and other malicious tools. Some of the most popular droppers in recent years, such as Emotet, Trickbot, and Dridex, began as banking Trojans before their operators switched tactics and used their Trojans as malware-delivery vehicles for other criminals. 

Saint Bot, like many other droppers, has several unclear and anti-analysis features to help it avoid malware detection tools. It is designed to detect virtual machines and, in some cases, to detect but not execute on systems located in specific Commonwealth of Independent States countries, which include former Soviet bloc countries such as Russia, Azerbaijan, Armenia, Uzbekistan, Ukraine, and Moldova.

"As we were about to publish on this downloader, we identified a few new campaigns that appear to be politically motivated and where Saint Bot was being used as part of the infection chain. In particular, we observed malicious documents laced with exploits often accompanied by decoy files." a spokesman from Malwarebytes' threat intelligence team states. In all instances, Saint Bot was eventually used to drop stealers. 

According to Malwarebytes, while Saint Bot is not yet a widespread threat, there are indications that the malware's creators are still actively working on it. According to the security vendor, its investigation of the Saint Bot reveals that a previous version of the tool existed not long ago. " Additionally, we are also seeing new campaigns that appear to be from different customers, which would indicate that the malware author is involved in further customizing the product," a Malwarebytes spokesman said.