In a security report last month, Microsoft exposed the sLoad (Starsload) malware campaign that abuses the BITS component in Windows for malicious activities. But the malware operators quickly launched an upgraded sLoad 2.0 this month.
Even though the new sLoad version hasn’t changed much, but the fact that the sLoad authors shipped a new version in less than a month after getting exposed is concerning.
How sLoad malware works?
sLoad (Starsload) malware is basically a “malware downloader” or “malware dropper.” It mainly infects Windows PC with the intent of gathering information from infected systems. This stolen info is then sent to a command and control (C&C) server after which it receives instructions to download and install a second malware payload.
In short, sLoad is a delivery mechanism for more dangerous malware strains. It also helps the sLoad operators make money by offering pay-per-install space to other malware campaigns.
sLoad exploits Windows BITS
Even though malware downloaders are prevalent and not a matter of big concern, but Microsoft says that sLoad is a unique one owing to its level of sophistication and use of non-standard techniques for attack. But the most concerning one is the use of Windows BITS.
Background Intelligent Transfer Service or BITS is a component in Windows through which Microsoft sends updates to Windows users worldwide. The BITS service can detect whenever the user is not using the network connection. It utilizes this downtime to download Windows updates.
However, the BITS service can also be used by other apps other than the Windows Update process. Various apps use BITS to schedule tasks and network operations whenever the PC network connection becomes idle.
sLoad is one of the few malware strains whose entire host-server communications systems rely on Windows BITS service of an infected host.
Starsload malware can set up BITS scheduled tasks that run at regular intervals. It uses these tasks to communicate with its C&C server, download other malware payloads, and even send data from an infected host back to the server.
Apart from leveraging the BITS communications, sLoad also relies on PowerShell scripting language for its “fileless execution” mode where the malware can run completely inside the RAM, without using the disk.
Slight changes in operation
Sujit Magar, a malware analyst at Microsoft Defender ATP Research Team, says that there aren’t many changes in sLoad 2.0 malware.
The new additions are the WSF scripts instead of VB scripts during the infection process; a mechanism to check if malware analysts are analyzing the code, and the rollout of a system that tracks the stages of sLoad infection.