Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Microsoft Defender
Multi-stage downloader Trojan sLoad abuses BITS almost exclusively for malicious activities
Message
<blockquote data-quote="Bot" data-source="post: 848816" data-attributes="member: 52014"><p>Many of today’s threats evolve to incorporate as many <a href="https://www.microsoft.com/security/blog/2019/09/26/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware/" target="_blank">living-off-the-land</a> techniques as possible into the attack chain. The PowerShell-based downloader Trojan known as sLoad, however, puts all its bets on BITS.</p><p></p><p>Background Intelligent Transfer Service (BITS) is a component of the Windows operating system that provides an ability to transfer files in an asynchronous and throttled fashion using idle bandwidth. Abusing BITS, which provides the ability to create self-contained jobs that can be prioritized and queued up and that can launch other programs, has become a prevalent attack technique. Recent sophisticated malware campaigns like <a href="https://www.microsoft.com/security/blog/2019/07/08/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack/" target="_blank">Astaroth</a> have found success in the use of BITS for downloading payloads or additional components, especially in systems where the firewall is not configured to block malicious traffic from BITS jobs.</p><p></p><p>sLoad, detected by Windows Defender Antivirus as TrojanDownloader<img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite115" alt=":p" title="Stick out tongue :p" loading="lazy" data-shortname=":p" />owerShell/sLoad, is used by adversaries for exfiltrating system information and delivering additional payloads in targeted attacks. It has been around for a few years and has not stopped evolving. What hasn’t changed, though, is its use of BITS for all of its exfiltration activities, as well as command-and-control (C2) communications from handshake to downloading additional payloads.</p><p></p><p>Once sLoad has infiltrated a machine, it can allow attackers to do further, potentially more damaging actions. Using exfiltrated information, attackers can identify what security solutions are running and test payloads before they are sneaked into the compromised system or, worse, high-priced targets. sLoad uses scheduled tasks, which runs the malware every three minutes, opening the window of opportunity for further compromise—hence raising the risk for the affected machine—every time it runs. We have already seen the malware attempt to deliver several other, potentially more dangerous Trojans to compromised machines.</p><p></p><p>While several malware campaigns have leveraged BITS, sLoad’s almost exclusive use of the service is notable. sLoad uses BITS as an alternative protocol to perform data exfiltration and most of its other malicious activities, enabling the malware to evade defenders and protections that may not be inspecting this unconventional protocol. Cloud-based machine learning-driven <a href="https://www.microsoft.com/security/blog/2019/10/08/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks/" target="_blank">behavioral blocking and containment</a> capabilities in <a href="https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp" target="_blank">Microsoft Defender Advanced Threat Protection</a> detect and block sLoad’s activities as Behavior:Win32/sLoad.A.</p><p></p><p><img src="https://www.microsoft.com/security/blog/wp-content/uploads/2019/12/sLoad-attack-chain.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p>In this blog we’ll share our analysis of the multiple ways in which sLoad is abusing BITS and share how Microsoft Defender Advanced Threat Protection defeats these advanced malware techniques.</p><p></p><p><span style="font-size: 18px"><strong>Stealthy installation via multiple cascaded scripts</strong></span></p><p></p><p></p><p>sLoad is known to infect machines using spear-phishing emails and a common but effective detection evasion technique: the cascaded scripts. One script drops or downloads one or more scripts, passes control to one of these scripts, and repeats the process multiple times until the final component is installed.</p><p></p><p>Over time, we’ve seen some variations of this technique. One sLoad campaign used the link target field of a LNK file to run PowerShell commands that extracts and runs the first-stage PowerShell code, which is appended to the end of the LNK file or, in one instance, the end of the ZIP file that originally contained the LNK file. In another campaign, the first-stage PowerShell code itself uses a download BITS job to download either the sLoad script and the C2 URL file or the sLoad dropper PowerShell script that embeds the encrypted sLoad script and C2 URL file within itself.</p><p></p><p>In the most recent attacks, for the first stage, sLoad shifted from using PowerShell script to VBScript. The randomly named VBScript file is simply a proxy that builds and then drops and runs a PowerShell script, always named <em>rr.ps1</em>. This is none other than the same sLoad PowerShell dropper mentioned earlier that embeds the encrypted sLoad script and C2 URL file within itself.</p><p></p><p>In most variations of the installation, the sLoad dropper script is the last intermediate stage that performs the following actions, and eventually decrypts and runs the final sLoad script:</p><p></p><ol> <li data-xf-list-type="ol">Creates an installation folder in the <em>%APPDATA%</em> folder named after the first 6 characters of the Win32 Product UUID. <img src="https://www.microsoft.com/security/blog/wp-content/uploads/2019/12/sLoad-BITS-1.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></li> <li data-xf-list-type="ol">Drops an infection marker file named<em> _in</em>, and during the successive executions, uses the <em>LastWriteTime</em> on this file to check whether the malware is installed within last 30 mins, in which case, it terminates. <img src="https://www.microsoft.com/security/blog/wp-content/uploads/2019/12/sLoad-BITS-2.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></li> <li data-xf-list-type="ol">Drops the encrypted sLoad script and the C2 URL file as <em>config.ini</em> and <em>web.ini</em>, respectively. <img src="https://www.microsoft.com/security/blog/wp-content/uploads/2019/12/sLoad-BITS-3.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></li> <li data-xf-list-type="ol">Builds and drops two more randomly named scripts: one VBScript and one PowerShell script. <img src="https://www.microsoft.com/security/blog/wp-content/uploads/2019/12/sLoad-BITS-4.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></li> <li data-xf-list-type="ol">Uses <em>schtasks.exe</em> to create a scheduled task named <em>AppRunLog</em> to run the randomly named VBScript from the previous step with decryption key supplied as a command line parameter; deletes the previously created related tasks (if found) before creating this one. The scheduled task is configured to start at 7:00 AM and run every 3 mins. <img src="https://www.microsoft.com/security/blog/wp-content/uploads/2019/12/sLoad-BITS-5.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></li> </ol><p></p><p>The dropped VBScript that runs under the scheduled task is yet another proxy that simply runs the dropped PowerShell script with the same command line parameter (the decryption key). The PowerShell script decrypts the contents of the previously dropped <em>config.ini</em> in the memory into another piece of PowerShell code, which it then runs. This is the final component, the script detected as TrojanDownloader<img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite115" alt=":p" title="Stick out tongue :p" loading="lazy" data-shortname=":p" />owerShell/sLoad, that uses BITS to perform every important malicious activity.</p><p></p><p><span style="font-size: 18px"><strong>BITS abuse</strong></span></p><p></p><p></p><p>The sLoad PowerShell script (the final component) then abuses BITS to carry out all of the following activities:</p><p></p><p><span style="font-size: 15px"><strong>Finding an active C2 server</strong></span></p><p></p><p></p><p>The malware decrypts the contents of previously dropped <em>web.ini</em> into a set of 2 URLs and creates a BITS download jobs to test the connection to these URLs. It then saves the URL that responds in the form of a file that contains a message “sok”, being downloaded as part of created BITS job. This ensures that the handshake is complete.</p><p></p><p>If none responds, the script appends the number “1” to the domain names in both URLs, saves the encrypted data back to the <em>web.ini</em> file, and exits from the script. As a result, the next time the scheduled job runs, the script uses the modified <em>web.ini</em> to obtain the modified URLs to attempt connecting to an active C2. With each unsuccessful attempt of connecting with C2s, the number appended to the domain names is increased by increments of 1 until it reaches 50, at which time it resets to 1. This technique offers a bit of a cushion and ensures continued contact between a compromised machine and a C2, in case the primary C2 is blocked.</p><p></p><p>This prevents the malware infrastructure from losing a compromised host if the primary C2 is blocked. It’s also interesting to see how the URLs used to reach C2 are structured to appear related to CAPTCHA verification, an attempt to escape watchful eyes.</p><p></p><p><img src="https://www.microsoft.com/security/blog/wp-content/uploads/2019/12/sLoad-BITS-6.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><span style="font-size: 15px"><strong>Fetching a new list of C2s</strong></span></p><p></p><p></p><p>For continued exfiltration of information, it’s important to maintain contact with an active C2. As the malicious domains cannot stay up running for a long time, the malware packs a functionality to refresh the list of C2 every time the scheduled task runs. Using a BITS download job, the malware downloads a new copy of web.ini from the active C2 to provisions a new set of C2s for future use.</p><p></p><p><img src="https://www.microsoft.com/security/blog/wp-content/uploads/2019/12/sLoad-BITS-7.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><span style="font-size: 15px"><strong>Exfiltrating system information</strong></span></p><p></p><p></p><p>Once an active C2 is identified, the malware starts collecting system information by performing the following:</p><p></p><ul> <li data-xf-list-type="ul">saves the output of “net view” command</li> <li data-xf-list-type="ul">enumerates network drives and saves the provider names and device ids</li> <li data-xf-list-type="ul">produces the list of all running processes</li> <li data-xf-list-type="ul">obtains the OS caption</li> <li data-xf-list-type="ul">looks for Outlook folder, as well as Independent Computing Architecture (ICA) files, which are used by Citrix application servers to store configuration information</li> </ul><p></p><p>It then creates a BITS download job with the <em>RemoteURL</em> built using the URL for active C2 and the system information collected up this point.</p><p></p><p>Crafting URLs infused with stolen info is not a novel attacker technique. In addition, creating a BITS job with an extremely large <em>RemoteURL</em> parameter that includes non-encrypted system information stands out and is relatively easy to detect. However, this malware’s use of a download job instead of an upload job is a clever move to achieve stealth.</p><p></p><p><img src="https://www.microsoft.com/security/blog/wp-content/uploads/2019/12/sLoad-BITS-8.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><img src="https://www.microsoft.com/security/blog/wp-content/uploads/2019/12/sLoad-BITS-9.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><img src="https://www.microsoft.com/security/blog/wp-content/uploads/2019/12/sLoad-BITS-10.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><img src="https://www.microsoft.com/security/blog/wp-content/uploads/2019/12/sLoad-BITS-11.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><img src="https://www.microsoft.com/security/blog/wp-content/uploads/2019/12/sLoad-BITS-12.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><span style="font-size: 15px"><strong>Deploying additional payloads</strong></span></p><p></p><p></p><p>Because the malware exfiltrates system information using a BITS download job, it gets an opportunity to receive a response in the form of a file downloaded to the machine. It uses this opportunity to obtain additional payloads from the C2.</p><p></p><p>It sleeps and waits for the file to be downloaded. If the downloaded file instructs to download and invoke additional PowerShell codes, the supplied URL is used for the task. If not, then the URL is assumed to be pointing to an encoded PE image payload. The malware creates another BITS download job to download this payload, creates a copy of this newly downloaded encoded file, and uses another Windows utility, <em>certutil.exe</em>, to decode it into a portable executable (PE) file with .exe extension. Finally, it uses <em>PowerShell.exe</em> to run the decoded PE payload. One more BITS download job is created to download additional files.</p><p></p><p><img src="https://www.microsoft.com/security/blog/wp-content/uploads/2019/12/sLoad-BITS-13.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><span style="font-size: 15px"><strong>Spying</strong></span></p><p></p><p></p><p>The malware comes built with one of the most notorious spyware features: uploading screenshots. At several stages during the installation as well as when running additional payloads, the malware takes several screenshots at short intervals. It then uses a BITS upload job to send the stolen screenshots to the active C2. This is the only time that it uses an upload job, and these are the only files it uploads to the C2. Once uploaded, the screenshots are deleted from the machine.</p><p></p><p><img src="https://www.microsoft.com/security/blog/wp-content/uploads/2019/12/sLoad-BITS-14.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><img src="https://www.microsoft.com/security/blog/wp-content/uploads/2019/12/sLoad-BITS-15.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><span style="font-size: 18px"><strong>Conclusion: Multiple layers of protection against multi-stage living-off-the-land threats</strong></span></p><p></p><p></p><p>sLoad is just one example of the increasingly more prevalent threats that can perform most of their malicious activities by simply living off the land. In this case, it’s a dangerous threat that’s equipped with notorious spyware capabilities, infiltrative payload delivery, and data exfiltration capabilities. sLoad’s behavior can be classified as a <a href="https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/fileless-threats#type-iii-files-required-to-operate" target="_blank">Type III fileless technique</a>: while it drops some malware files during installation, its use of only BITS jobs to perform most of its harmful behaviors and scheduled tasks for persistence achieves an almost fileless presence on compromised machines.</p><p></p><p>To defeat multi-stage, stealthy, and persistent threats like sLoad, <a href="https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp" target="_blank">Microsoft Defender ATP</a>’s antivirus component uses <a href="https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/" target="_blank">multiple next-generation protection engines</a> on the client and in the cloud. While most threats are identified and stopped by many of these engines, <a href="https://www.microsoft.com/security/blog/2019/10/08/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks/" target="_blank">behavioral blocking and containment</a> capabilities detects malicious behaviors and blocks threats after they have started running:</p><p></p><p><img src="https://www.microsoft.com/security/blog/wp-content/uploads/2019/12/BM-300x253.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /> <img src="https://www.microsoft.com/security/blog/wp-content/uploads/2019/12/CmdHstr-300x253.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /> <img src="https://www.microsoft.com/security/blog/wp-content/uploads/2019/12/Aggr-300x253.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p>These detections are also surfaced in Microsoft Defender Security Center. Security operations teams can then use Microsoft Defender ATP’s other capabilities like endpoint detection and response (EDR), automated investigation and response, Threat and Vulnerability Management, and Microsoft Threat Experts to investigate and respond to attacks. This reflects the defense-in-depth strategy that is central to the unified endpoint protection provided by Microsoft Defender ATP.</p><p></p><p>As part of <a href="https://www.microsoft.com/security/blog/2019/10/08/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks/" target="_blank">Microsoft Threat Protection</a>, Microsoft Defender ATP shares security signals about this threat to other security services, which likewise inform and enrich endpoint protection. For example, Office 365 ATP’s intelligence on the emails that carry sLoad is shared to and used by Microsoft Defender ATP to build even stronger defenses at the source of infection. Real-time signal-sharing across Microsoft’s security services gives Microsoft Threat Protection unparalleled visibility across attack vectors and the unique ability to provide comprehensive protection against identities, endpoints, data, cloud apps, and infrastructure.</p><p></p><p> </p><p></p><p><strong><em>Sujit Magar</em></strong></p><p><em>Microsoft Defender ATP Research Team</em></p><p></p><p> </p><p></p><p> </p><p></p><p><span style="font-size: 15px"><strong>Talk to us</strong></span></p><p></p><p></p><p>Questions, concerns, or insights on this story? Join discussions at the <a href="https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/bg-p/MicrosoftDefenderATPBlog" target="_blank">Microsoft Defender ATP community</a>.</p><p></p><p>Read all <a href="https://www.microsoft.com/security/blog/microsoft-security-intelligence/" target="_blank">Microsoft security intelligence blog posts</a>.</p><p></p><p>Follow us on Twitter <a href="https://twitter.com/MsftSecIntel" target="_blank"><strong>@MsftSecIntel</strong></a>.</p><p></p><p> </p><p></p><p>The post <a href="https://www.microsoft.com/security/blog/2019/12/12/multi-stage-downloader-trojan-sload-abuses-bits-almost-exclusively-for-malicious-activities/" target="_blank">Multi-stage downloader Trojan sLoad abuses BITS almost exclusively for malicious activities</a> appeared first on <a href="https://www.microsoft.com/security/blog/" target="_blank">Microsoft Security.</a></p><p><a href="https://www.microsoft.com/security/blog/" target="_blank"></a></p></blockquote><p></p>
[QUOTE="Bot, post: 848816, member: 52014"] Many of today’s threats evolve to incorporate as many [URL='https://www.microsoft.com/security/blog/2019/09/26/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware/']living-off-the-land[/URL] techniques as possible into the attack chain. The PowerShell-based downloader Trojan known as sLoad, however, puts all its bets on BITS. Background Intelligent Transfer Service (BITS) is a component of the Windows operating system that provides an ability to transfer files in an asynchronous and throttled fashion using idle bandwidth. Abusing BITS, which provides the ability to create self-contained jobs that can be prioritized and queued up and that can launch other programs, has become a prevalent attack technique. Recent sophisticated malware campaigns like [URL='https://www.microsoft.com/security/blog/2019/07/08/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack/']Astaroth[/URL] have found success in the use of BITS for downloading payloads or additional components, especially in systems where the firewall is not configured to block malicious traffic from BITS jobs. sLoad, detected by Windows Defender Antivirus as TrojanDownloader:PowerShell/sLoad, is used by adversaries for exfiltrating system information and delivering additional payloads in targeted attacks. It has been around for a few years and has not stopped evolving. What hasn’t changed, though, is its use of BITS for all of its exfiltration activities, as well as command-and-control (C2) communications from handshake to downloading additional payloads. Once sLoad has infiltrated a machine, it can allow attackers to do further, potentially more damaging actions. Using exfiltrated information, attackers can identify what security solutions are running and test payloads before they are sneaked into the compromised system or, worse, high-priced targets. sLoad uses scheduled tasks, which runs the malware every three minutes, opening the window of opportunity for further compromise—hence raising the risk for the affected machine—every time it runs. We have already seen the malware attempt to deliver several other, potentially more dangerous Trojans to compromised machines. While several malware campaigns have leveraged BITS, sLoad’s almost exclusive use of the service is notable. sLoad uses BITS as an alternative protocol to perform data exfiltration and most of its other malicious activities, enabling the malware to evade defenders and protections that may not be inspecting this unconventional protocol. Cloud-based machine learning-driven [URL='https://www.microsoft.com/security/blog/2019/10/08/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks/']behavioral blocking and containment[/URL] capabilities in [URL='https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp']Microsoft Defender Advanced Threat Protection[/URL] detect and block sLoad’s activities as Behavior:Win32/sLoad.A. [IMG]https://www.microsoft.com/security/blog/wp-content/uploads/2019/12/sLoad-attack-chain.png[/IMG] In this blog we’ll share our analysis of the multiple ways in which sLoad is abusing BITS and share how Microsoft Defender Advanced Threat Protection defeats these advanced malware techniques. [SIZE=5][B]Stealthy installation via multiple cascaded scripts[/B][/SIZE] sLoad is known to infect machines using spear-phishing emails and a common but effective detection evasion technique: the cascaded scripts. One script drops or downloads one or more scripts, passes control to one of these scripts, and repeats the process multiple times until the final component is installed. Over time, we’ve seen some variations of this technique. One sLoad campaign used the link target field of a LNK file to run PowerShell commands that extracts and runs the first-stage PowerShell code, which is appended to the end of the LNK file or, in one instance, the end of the ZIP file that originally contained the LNK file. In another campaign, the first-stage PowerShell code itself uses a download BITS job to download either the sLoad script and the C2 URL file or the sLoad dropper PowerShell script that embeds the encrypted sLoad script and C2 URL file within itself. In the most recent attacks, for the first stage, sLoad shifted from using PowerShell script to VBScript. The randomly named VBScript file is simply a proxy that builds and then drops and runs a PowerShell script, always named [I]rr.ps1[/I]. This is none other than the same sLoad PowerShell dropper mentioned earlier that embeds the encrypted sLoad script and C2 URL file within itself. In most variations of the installation, the sLoad dropper script is the last intermediate stage that performs the following actions, and eventually decrypts and runs the final sLoad script: [LIST=1] [*]Creates an installation folder in the [I]%APPDATA%[/I] folder named after the first 6 characters of the Win32 Product UUID. [IMG]https://www.microsoft.com/security/blog/wp-content/uploads/2019/12/sLoad-BITS-1.png[/IMG] [*]Drops an infection marker file named[I] _in[/I], and during the successive executions, uses the [I]LastWriteTime[/I] on this file to check whether the malware is installed within last 30 mins, in which case, it terminates. [IMG]https://www.microsoft.com/security/blog/wp-content/uploads/2019/12/sLoad-BITS-2.png[/IMG] [*]Drops the encrypted sLoad script and the C2 URL file as [I]config.ini[/I] and [I]web.ini[/I], respectively. [IMG]https://www.microsoft.com/security/blog/wp-content/uploads/2019/12/sLoad-BITS-3.png[/IMG] [*]Builds and drops two more randomly named scripts: one VBScript and one PowerShell script. [IMG]https://www.microsoft.com/security/blog/wp-content/uploads/2019/12/sLoad-BITS-4.png[/IMG] [*]Uses [I]schtasks.exe[/I] to create a scheduled task named [I]AppRunLog[/I] to run the randomly named VBScript from the previous step with decryption key supplied as a command line parameter; deletes the previously created related tasks (if found) before creating this one. The scheduled task is configured to start at 7:00 AM and run every 3 mins. [IMG]https://www.microsoft.com/security/blog/wp-content/uploads/2019/12/sLoad-BITS-5.png[/IMG] [/LIST] The dropped VBScript that runs under the scheduled task is yet another proxy that simply runs the dropped PowerShell script with the same command line parameter (the decryption key). The PowerShell script decrypts the contents of the previously dropped [I]config.ini[/I] in the memory into another piece of PowerShell code, which it then runs. This is the final component, the script detected as TrojanDownloader:PowerShell/sLoad, that uses BITS to perform every important malicious activity. [SIZE=5][B]BITS abuse[/B][/SIZE] The sLoad PowerShell script (the final component) then abuses BITS to carry out all of the following activities: [SIZE=4][B]Finding an active C2 server[/B][/SIZE] The malware decrypts the contents of previously dropped [I]web.ini[/I] into a set of 2 URLs and creates a BITS download jobs to test the connection to these URLs. It then saves the URL that responds in the form of a file that contains a message “sok”, being downloaded as part of created BITS job. This ensures that the handshake is complete. If none responds, the script appends the number “1” to the domain names in both URLs, saves the encrypted data back to the [I]web.ini[/I] file, and exits from the script. As a result, the next time the scheduled job runs, the script uses the modified [I]web.ini[/I] to obtain the modified URLs to attempt connecting to an active C2. With each unsuccessful attempt of connecting with C2s, the number appended to the domain names is increased by increments of 1 until it reaches 50, at which time it resets to 1. This technique offers a bit of a cushion and ensures continued contact between a compromised machine and a C2, in case the primary C2 is blocked. This prevents the malware infrastructure from losing a compromised host if the primary C2 is blocked. It’s also interesting to see how the URLs used to reach C2 are structured to appear related to CAPTCHA verification, an attempt to escape watchful eyes. [IMG]https://www.microsoft.com/security/blog/wp-content/uploads/2019/12/sLoad-BITS-6.png[/IMG] [SIZE=4][B]Fetching a new list of C2s[/B][/SIZE] For continued exfiltration of information, it’s important to maintain contact with an active C2. As the malicious domains cannot stay up running for a long time, the malware packs a functionality to refresh the list of C2 every time the scheduled task runs. Using a BITS download job, the malware downloads a new copy of web.ini from the active C2 to provisions a new set of C2s for future use. [IMG]https://www.microsoft.com/security/blog/wp-content/uploads/2019/12/sLoad-BITS-7.png[/IMG] [SIZE=4][B]Exfiltrating system information[/B][/SIZE] Once an active C2 is identified, the malware starts collecting system information by performing the following: [LIST] [*]saves the output of “net view” command [*]enumerates network drives and saves the provider names and device ids [*]produces the list of all running processes [*]obtains the OS caption [*]looks for Outlook folder, as well as Independent Computing Architecture (ICA) files, which are used by Citrix application servers to store configuration information [/LIST] It then creates a BITS download job with the [I]RemoteURL[/I] built using the URL for active C2 and the system information collected up this point. Crafting URLs infused with stolen info is not a novel attacker technique. In addition, creating a BITS job with an extremely large [I]RemoteURL[/I] parameter that includes non-encrypted system information stands out and is relatively easy to detect. However, this malware’s use of a download job instead of an upload job is a clever move to achieve stealth. [IMG]https://www.microsoft.com/security/blog/wp-content/uploads/2019/12/sLoad-BITS-8.png[/IMG] [IMG]https://www.microsoft.com/security/blog/wp-content/uploads/2019/12/sLoad-BITS-9.png[/IMG] [IMG]https://www.microsoft.com/security/blog/wp-content/uploads/2019/12/sLoad-BITS-10.png[/IMG] [IMG]https://www.microsoft.com/security/blog/wp-content/uploads/2019/12/sLoad-BITS-11.png[/IMG] [IMG]https://www.microsoft.com/security/blog/wp-content/uploads/2019/12/sLoad-BITS-12.png[/IMG] [SIZE=4][B]Deploying additional payloads[/B][/SIZE] Because the malware exfiltrates system information using a BITS download job, it gets an opportunity to receive a response in the form of a file downloaded to the machine. It uses this opportunity to obtain additional payloads from the C2. It sleeps and waits for the file to be downloaded. If the downloaded file instructs to download and invoke additional PowerShell codes, the supplied URL is used for the task. If not, then the URL is assumed to be pointing to an encoded PE image payload. The malware creates another BITS download job to download this payload, creates a copy of this newly downloaded encoded file, and uses another Windows utility, [I]certutil.exe[/I], to decode it into a portable executable (PE) file with .exe extension. Finally, it uses [I]PowerShell.exe[/I] to run the decoded PE payload. One more BITS download job is created to download additional files. [IMG]https://www.microsoft.com/security/blog/wp-content/uploads/2019/12/sLoad-BITS-13.png[/IMG] [SIZE=4][B]Spying[/B][/SIZE] The malware comes built with one of the most notorious spyware features: uploading screenshots. At several stages during the installation as well as when running additional payloads, the malware takes several screenshots at short intervals. It then uses a BITS upload job to send the stolen screenshots to the active C2. This is the only time that it uses an upload job, and these are the only files it uploads to the C2. Once uploaded, the screenshots are deleted from the machine. [IMG]https://www.microsoft.com/security/blog/wp-content/uploads/2019/12/sLoad-BITS-14.png[/IMG] [IMG]https://www.microsoft.com/security/blog/wp-content/uploads/2019/12/sLoad-BITS-15.png[/IMG] [SIZE=5][B]Conclusion: Multiple layers of protection against multi-stage living-off-the-land threats[/B][/SIZE] sLoad is just one example of the increasingly more prevalent threats that can perform most of their malicious activities by simply living off the land. In this case, it’s a dangerous threat that’s equipped with notorious spyware capabilities, infiltrative payload delivery, and data exfiltration capabilities. sLoad’s behavior can be classified as a [URL='https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/fileless-threats#type-iii-files-required-to-operate']Type III fileless technique[/URL]: while it drops some malware files during installation, its use of only BITS jobs to perform most of its harmful behaviors and scheduled tasks for persistence achieves an almost fileless presence on compromised machines. To defeat multi-stage, stealthy, and persistent threats like sLoad, [URL='https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp']Microsoft Defender ATP[/URL]’s antivirus component uses [URL='https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/']multiple next-generation protection engines[/URL] on the client and in the cloud. While most threats are identified and stopped by many of these engines, [URL='https://www.microsoft.com/security/blog/2019/10/08/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks/']behavioral blocking and containment[/URL] capabilities detects malicious behaviors and blocks threats after they have started running: [IMG]https://www.microsoft.com/security/blog/wp-content/uploads/2019/12/BM-300x253.png[/IMG] [IMG]https://www.microsoft.com/security/blog/wp-content/uploads/2019/12/CmdHstr-300x253.png[/IMG] [IMG]https://www.microsoft.com/security/blog/wp-content/uploads/2019/12/Aggr-300x253.png[/IMG] These detections are also surfaced in Microsoft Defender Security Center. Security operations teams can then use Microsoft Defender ATP’s other capabilities like endpoint detection and response (EDR), automated investigation and response, Threat and Vulnerability Management, and Microsoft Threat Experts to investigate and respond to attacks. This reflects the defense-in-depth strategy that is central to the unified endpoint protection provided by Microsoft Defender ATP. As part of [URL='https://www.microsoft.com/security/blog/2019/10/08/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks/']Microsoft Threat Protection[/URL], Microsoft Defender ATP shares security signals about this threat to other security services, which likewise inform and enrich endpoint protection. For example, Office 365 ATP’s intelligence on the emails that carry sLoad is shared to and used by Microsoft Defender ATP to build even stronger defenses at the source of infection. Real-time signal-sharing across Microsoft’s security services gives Microsoft Threat Protection unparalleled visibility across attack vectors and the unique ability to provide comprehensive protection against identities, endpoints, data, cloud apps, and infrastructure. [B][I]Sujit Magar[/I][/B] [I]Microsoft Defender ATP Research Team[/I] [SIZE=4][B]Talk to us[/B][/SIZE] Questions, concerns, or insights on this story? Join discussions at the [URL='https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/bg-p/MicrosoftDefenderATPBlog']Microsoft Defender ATP community[/URL]. Read all [URL='https://www.microsoft.com/security/blog/microsoft-security-intelligence/']Microsoft security intelligence blog posts[/URL]. Follow us on Twitter [URL='https://twitter.com/MsftSecIntel'][B]@MsftSecIntel[/B][/URL]. The post [URL='https://www.microsoft.com/security/blog/2019/12/12/multi-stage-downloader-trojan-sload-abuses-bits-almost-exclusively-for-malicious-activities/']Multi-stage downloader Trojan sLoad abuses BITS almost exclusively for malicious activities[/URL] appeared first on [URL='https://www.microsoft.com/security/blog/']Microsoft Security. [/URL] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
