In recent months there have been new, versatile malware downloaders discovered that gather a significant amount of data about users’ systems before deploying a malicious payload. That payload is placed on the users’ system.
Marap malware and Xbash are two notable recent instances. Marap malware fingerprints a system and is capable of installing additional modules based on the results of the initial reconnaissance. XBash also reviews the system, and determines whether it is the best system for cryptocurrency mining or a ransomware attack and deploys its payload accordingly.
A further versatile and stealthy malware variant, name sLoad downloader, can now be placed on that list. SLoad was first discovered in May 2018, so it predates both of the above malware variants, although its use has been increasing.
The main aim of sLoad appears to be reconnaissance. Once installed on a system, it will figure out the location of the device based on the IP address and performs several checks to calculate the type of system and the software that is running and will determine whether it is on a real device or in a sandbox environment. It checks the processes operating on the system, compares against a hardcoded list, and will exit if certain security software is downloaded to avoid detection.
Once the system is suitable, a full scan of all running processes will be completed. The sLoad installer will search for Microsoft Outlook files, ICA files associated with Citrix, and other system information. sLoad is capable of capturing screenshots and searches the browser history looking for specific banking domains. All of this data is then fed back to the hackers’ C2 server.
Once the system has been fingerprinted, further malware variants are installed, primarily banking Trojans. Geofencing is used widely by the threat actors using sLoad which helps to ensure that banking Trojans are only placed on systems where they are likely to be effective – if the victim uses one of the banks that the Trojan is targeting.
In most of the campaigns seen so far, the banking Trojan of choice has been Ramnit. The attacks have also been very focused on specific countries including Canada, and latterly, Italy and the United Kingdom – Locations which are currently being attacked by Ramnit. Other malware variants linked to the sLoad downloader include the remote desktop tool DarkVNC, the Ursnif information stealer, DreamBot, and PsiBot.
The sLoad downloader is almost exclusively sent through spam email, with the campaigns often containing personal information such as the target’s name and address. While there have been many email subjects used, most commonly the emails relate to purchase orders, shipping notifications and missed packages.
The emails include Word documents with malicious macros in ZIP files, or alternatively embedded hyperlinks which will install the ZIP file if clicked.
The sLoad installer may be stealthy and versatile, but preventing the threat is possible with an advanced spam filter. End user training to condition staff never to click on hyperlinks from unknown senders or open attachments or allow macros will also help to stop infection. Web filtering solutions supply an additional layer of protection to prevent attempts to download malicious files from the Internet.