Pierluigi Paganini November 27, 2018

A new malspam campaign hit Italy in this days, threat actors are spreading a new variant of a powerful downloader named sLoad.

sLoad is a sophisticated script, used in the past to deliver different types of malware such as the dreaded “Ramnit banker”.

“In the past months CERT-Yoroi observed an emerging attack pattern targeting its constituency. These series of malicious email messages shared common techniques may be likely related to a single threat group starting its operation against the Italian cyber panorama.” reads the analysis published by Yoroi.

“It is still not clear if these attack attempts may be originated by a any well established cybercrime group modifying its TTP or a completely new one, however CERT-Yoroi is tracking this threat with the internal codename “Sload-ITA” (TH-163) .”

sLoad implements a broad range of capabilities including the ability to take screenshots, read the list of running process, exfiltrate DNS cache, exfiltrate outlook e-mail and other typical spyware functionalities.

As usual, it comes as a zip file attached to an e-mail, this file contains two elements:

1. A fake shortcut to directory (.lnk file);
2. Legitimate image flagged as hidden.

It is strange that the image is not used into the malware’s workflow, but the link file starts a complex infection chain, as shown in the following figure:

First of all, the .lnk file runs a first PowerShell activator, which searches a file named: “documento-aggiornato-novembre-*.zip”.

Then, if the .zip file exists, the PowerShell script extracts and runs a portion of a code present at the end of the same file. Once the PowerShell script has been extracted, it runs another Powershell script that acts as a subsequent dropper in the attack chain.

This ps code abuses the BitsTransfer windows functionality to download two important files: config.ini and web.ini that contains the final sLoad stage.

The malicious code gains persistence using a task defined into System Task Scheduler that runs a Visual Basic script.

At the end, when sLoad is started, it periodically takes screenshots, gathers system’s information and sends other data to the C2 .

Technical details, including IoCs and Yara Rules, about the sLoad malware are available on the Yoroi blog.

https://blog.yoroi.company/research/the-sload-powershell-threat-is-expanding-to-italy/

UPDATE 21 November 2018

The same threat was also analyzed by another Italian cybersecurity firm, Certego who published an interesting analysis of the threat on Friday. Technical details of Certego analysis are reported at the following link

http://www.certego.net/en/news/sload-hits-italy-unveil-the-power-of-powershell-as-a-downloader/

Pierluigi Paganini

(Security Affairs – malspam, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]