A new PowerShell downloader dubbed sLoad is making the rounds, sporting impressive reconnaissance tactics and a penchant for geofencing, which indicate increasing sophistication when it comes to targeting efforts.
First spotted in May 2018, sLoad typically delivers the Ramnit banking trojan (but has been seen fetching Gootkit, DarkVNC, Ursnif and PsiXBot as well). The notable aspect is the lengths to which it will go to learn about a target before delivering its payload.
According to a Proofpoint analysis, the malware gathers information about the infected system, including a list of running processes, the presence of Outlook, and the presence of Citrix-related files. It will also take screenshots of the target machine.
“This is another chapter in the story we’ve seen emerging over the last few months,” Chris Dawson, threat intelligence lead at Proofpoint, told Threatpost. “Threat actors continue to adopt new, stealthy loaders with rich reconnaissance features. By using loaders that can also assess infected systems, actors can select their targets wisely and improve the quality of infected hosts, eliminating some of the noise associated with the ‘spray-and-pray’ campaigns we came to associate with the large-scale ransomware and banker attacks of the last few years.”
Proofpoint traced the malware back to a known threat actor, which it has tracked since early 2017.
“This particular loader is being used by an actor we refer to internally as TA554,” Dawson said. “They typically target Canada, the UK and Italy with various banking trojans. They have been using sLoad specifically with the Ramnit banking Trojan in recent campaigns.”
TA554 attacks via crafted emails in the targeted country’s language, and are often personalized to include recipients’ names and addresses in various parts of the email such as email body and subject.
“TA554 frequently uses package delivery or order notification lures; the emails contain URLs linking to zipped LNK files or zipped documents,” Proofpoint analysts said in a posting Tuesday on sLoad. “The LNK file or document macros in turn download the next stage — typically a PowerShell script which may download the final payload or another downloader such as sLoad.”
Interestingly, the adversaries use geofencing, i.e., restricting access to content based on the user’s location, determined via the source IP address — at all steps of the infection chain, including the download of the dropper, the PowerShell download of sLoad, sLoad’s communications with its command-and-control (C2) server, and when it receives a task or command.
“Banking trojans, by their nature, require a degree of geotargeting since they must be configured with webinjects for local banks,” Dawson explained. “Geofencing helps ensure that infected systems are within the regions targeted by the banking trojans based on the IP address of the infected system – in this case, the banker is Ramnit.”
As part of these efforts, sLoad will check browsing histories to see if the victim visited specific, targeted banks. sLoad contains a hardcoded array of banking keywords and host names, and reports any matches found on the machine to the C2.
Dawson added, “In addition to the geofencing that occurs throughout the infection chain, we also found that sLoad examined the DNS cache of infected machines, looking for evidence that the machines had been used to access online banking sites with webinjects configured in the final Ramnit payload.”
Figure 11: sLoad searching for files with .ICA extension, starting in “C:\users” folder. We assume these are most likely Citrix-related due to this format used for Citrix application servers as a configuration file and the “$cit” variable.
Proofpoint said that since May, there have been multiple different versions of sLoad, which introduced incremental changes. For instance, on Oct. 22, the actor added a victim-facing landing at the zipped-LNK download step — so that the initial .LNK file was downloading sLoad directly without the additional intermediate PowerShell.
“sLoad, like other downloaders we have profiled recently, fingerprints infected systems, allowing threat actors to better choose targets of interest for the payloads of their choice,” the research team said in its post. “In this case, that final payload is generally a banking trojan via which the actors can not only steal additional data but perform man-in-the-browser attacks on infected individuals. Downloaders, though, like sLoad, Marap and others, provide high degrees of flexibility to threat actors, whether avoiding vendor sandboxes, delivering ransomware to a system that appears mission critical, or delivering a banking trojan to systems with the most likely return.”