sLoad malware gang returns: Microsoft detects quickly revamped 2.0 version

sLoad malware has been around for years but after the detection, in December it again returned with 2.0 version named as Starslord earlier this month

The tech giant Microsoft has detected malicious activities in December by a malware gang, known as sLoad. But now the company revealed that the sLoad malware has returned with 2.0 version, called Starslord, earlier this month. Even though the new version doesn't show any massive changes, the speed of launching the new malware version shows how fast the gang is operating.

The malware operation

This sLoad malware has been around for years. It is what someone would call a "malware downloader" or "malware dropper" which has four major purposes to fulfil and these are:

  • Infect Windows systems,
  • Gather information about the infected system
  • Send all information to a command and control (C&C) server
  • Wait for instructions to download and install a second malware payload

It should be noted that the malware serves as a delivery system for more potent malware strains and push the sLoad gang to make money by providing pay-per-install space for other cybercriminal operations.

Here it should be mentioned that as per Microsoft, sLoad was one of the few malware downloaders that exist because of the unneeded level of sophistication and its use of non-standard techniques.

wannacry hero marcus hutchins arrested
A cyber security Reuters

Microsoft report

In December the company revealed that sLoad is now one of those malware strains that ports its entire host-server communications system to the Windows BITS service, a default system through which Microsoft sends Windows updates to the users all over the world. The service works by detecting when the Windows user is not using their network connection and utilizing this downtime to download updates.

Microsoft earlier stated that sLoad malware gang's network stack was configured to carry out actions via the Windows BITS service of an infected host. The malware can set up BITS scheduled tasks that can be executed at regular intervals. However, these tasks download secondary malware payloads and send data from an infected host back to the C&C server. Its version 1.0 also has an ability to take a screenshot of the infected host.

Redemption of malware gang

After getting caught by Microsoft, the sLoad gang revamped their code and changed things around, shipping out a new version 2.0 from this year. But the malicious activities won't touch the success as Microsoft has published another exposé detailing with the new v2.0 in a similar depth as v1.0.

A malware analyst of the Microsoft Defender ATP Research Team, Sujit Magar, stated that the new sLoad 2.0 version has largely remained the same. He mentioned that it is still using BITS service for all network operations while relying on the PowerShell scripts for fileless execution.

The sLoad v2.0 is still working as a malware downloader for other criminal groups, said the Microsoft official. But there is one thing which the threat actors have changed. Now instead of VB scripts during the infection process, the new version is using WSF scripts.

However, Microsoft's new report on the sLoad should help other vendors to detect the malicious activities of the new version of the malware group.

Related topics : Cybersecurity