Breaking NewsCyber Crimemalspammalwaresecurite informatiquesLoad

The SLoad Powershell malspam is expanding to Italy

A new malspam campaign hit Italy in this days, threat actors are spreading a new variant of a powerful downloader named sLoad.

sLoad is a sophisticated script, used in the past to deliver different types of malware such as the dreaded “Ramnit banker”.

“In the past months CERT-Yoroi observed an emerging attack pattern targeting its constituency. These series of malicious email messages shared common techniques may be likely related to a single threat group starting its operation against the Italian cyber panorama.” reads the analysis published by Yoroi.

“It is still not clear if these attack attempts may be originated by a any well established cybercrime group modifying its TTP or a completely new one, however CERT-Yoroi is tracking this threat with the internal codename “Sload-ITA” (TH-163) .”

sLoad implements a broad range of capabilities including the ability to take screenshots, read the list of running process, exfiltrate DNS cache, exfiltrate outlook e-mail and other typical spyware functionalities.

As usual, it comes as a zip file attached to an e-mail, this file contains two elements:

  1. A fake shortcut to directory (.lnk file);
  2. Legitimate image flagged as hidden.

It is strange that the image is not used into the malware’s workflow, but the link file starts a complex infection chain, as shown in the following figure:

sLoad

First of all, the .lnk file runs a first PowerShell activator, which searches a file named: “documento-aggiornato-novembre-*.zip”.

Then, if the .zip file exists, the PowerShell script extracts and runs a portion of a code present at the end of the same file. Once the PowerShell script has been extracted, it runs another Powershell script that acts as a subsequent dropper in the attack chain.

This ps code abuses the BitsTransfer windows functionality to download two important files: config.ini and web.ini that contains the final sLoad stage.

The malicious code gains persistence using a task defined into System Task Scheduler that runs a Visual Basic script.

At the end, when sLoad is started, it periodically takes screenshots, gathers system’s information and sends other data to the C2 .

Technical details, including IoCs and Yara Rules, about the sLoad malware are available on the Yoroi blog.

The SLoad Powershell Threat is Expanding to Italy


Pierluigi Paganini

(Security Affairs – malspam, malware)


The post The SLoad Powershell malspam is expanding to Italy appeared first on Security Affairs.