Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Malware Analysis
sLoad launches version 2.0, Starslord
Message
<blockquote data-quote="Bot" data-source="post: 854993" data-attributes="member: 52014"><p>sLoad, the PowerShell-based Trojan downloader notable for its almost exclusive use of the Background Intelligent Transfer Service (BITS) for malicious activities, has launched version 2.0. The new version comes on the heels of a <a href="https://www.microsoft.com/security/blog/2019/12/12/multi-stage-downloader-trojan-sload-abuses-bits-almost-exclusively-for-malicious-activities/" target="_blank">comprehensive blog</a> we published detailing the malware’s multi-stage nature and use of BITS as alternative protocol for data exfiltration and other behaviors.</p><p></p><p>With the new version, sLoad has added the ability to track the stage of infection on every affected machine. Version 2.0 also packs an anti-analysis trick that could identify and isolate analyst machines vis-à-vis actual infected machines.</p><p></p><p>We’re calling the new version “Starslord” based on strings in the malware code, which has clues indicating that the name “sLoad” may have been derived from a popular comic book superhero.</p><p></p><p><img src="https://www.microsoft.com/security/blog/wp-content/uploads/2020/01/1-sLoad-2-Starslord-malware-code.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p>We discovered the new sLoad version over the holidays, in our continuous monitoring of the malware. New sLoad campaigns that use version 2.0 follow an attack chain similar to the previous version, with some updates, including dropping the dynamic list of command-and-control (C2) servers and upload of screenshots.</p><p></p><p><img src="https://www.microsoft.com/security/blog/wp-content/uploads/2020/01/2-sLoad-2-Starslord-attack-chain.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><span style="font-size: 18px"><strong>Tracking the stage of infection</strong></span></p><p></p><p></p><p>With the ability to track the stage of infection, malware operators with access to the Starslord backend could build a detailed view of infections across affected machines and segregate these machines into different groups.</p><p></p><p>The tracking mechanism exists in the final-stage, which, as with the old version, loops infinitely (with sleep interval of 2400 seconds, higher than the 1200 seconds in version 1.0). In line with the previous version, at every iteration of the final stage, the malware uses a download BITS job to exfiltrate stolen system information and receive additional payloads from the active C2 server.</p><p></p><p>As we noted in our previous blog, creating a BITS job with an extremely large RemoteURL parameter that includes non-encrypted system information, as the old sLoad version did, stands out and is relatively easy to detect. However, with Starslord, the system information is encoded into Base64 data before being exfiltrated.</p><p></p><p>The file received by Starslord in response to the exfiltration BITS job contains a tuple of three values separated by an asterisk (*):</p><p></p><ul> <li data-xf-list-type="ul">Value #1 is a URL to download additional payload using a download BITS job</li> <li data-xf-list-type="ul">Value #2 specifies the action, which can be any of the following, to be taken on the payload downloaded from the URL in value#1:<ul> <li data-xf-list-type="ul">“eval” – Run (possibly very large) PowerShell scripts</li> <li data-xf-list-type="ul">“iex” – Load and invoke (possibly small) PowerShell code</li> <li data-xf-list-type="ul">“run” – Download encoded PE file, decode using <em>exe</em>, and run the decoded executable</li> </ul></li> <li data-xf-list-type="ul">Value #3 is an integer that can signify the stage of infection for the machine</li> </ul><p></p><p>Supplying the payload URL as part of value #1 allows the malware infrastructure to house additional payloads on different servers from the active C2 servers responding to the exfiltration BITS jobs.</p><p></p><p>Value#3 is the most noteworthy component in this setup. If the final stage succeeds in downloading additional payload using the URL provided in value #1 and executing it as specified by the command in value #2, then a variable is used to form the string <em>“td”:”<value#3>”,”tds”:”3”</em>. However, if the final stage fails to download and execute the payload, then the string formed is <em>“td”:”<value #3>”,”tds”:”4”</em>.</p><p></p><p><img src="https://www.microsoft.com/security/blog/wp-content/uploads/2020/01/3-sLoad-2-Starslord-infinite-loop.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p>The infinite loop ensures that the exfiltration BITS jobs are created at a fixed interval. The backend infrastructure can then pick up the pulse from each infected machine. However, unlike the previous version, Starslord includes the said string in succeeding iterations of data exfiltration. This means that the malware infrastructure is always aware of the exact stage of the infection for a specific affected machine. In addition, since the numeric value for value #3 in the tuple is always governed by the malware infrastructure, malware operators can compartmentalize infected hosts and could potentially set off individual groups on unique infection paths. For example, when responding to exfiltration BITS jobs, malware operators can specify a different URL (value #1) and action (value #2) for each numeric value for value #3 of the tuple, essentially deploying a different malware payload for different groups.</p><p></p><p><span style="font-size: 18px"><strong>Anti-analysis trap</strong></span></p><p></p><p></p><p>Starslord comes built-in with a function named <em>checkUniverse</em>, which is in-fact an anti-analysis trap.</p><p></p><p>As mentioned in our previous blog post, the final stage of sLoad is a piece of PowerShell code obtained by decoding one of the dropped .ini files. The PowerShell code appears in the memory as a value assigned to a variable that is then executed using the Invoke-Expression cmdlet. Because this is a huge piece of decrypted PowerShell code that never hits the disk, security researchers would typically dump it into a file on the disk for further analysis.</p><p></p><p>The sLoad dropper PowerShell script drops four files:</p><p></p><ul> <li data-xf-list-type="ul">a randomly named .tmp file</li> <li data-xf-list-type="ul">a randomly named .ps1 file</li> <li data-xf-list-type="ul">a <em>ini</em> file</li> <li data-xf-list-type="ul">a <em>ini</em> file</li> </ul><p></p><p>It then creates a scheduled task to run the .tmp file every 3 minutes, similar to the previous version. The .tmp file is a proxy that does nothing but run the .ps1 file, which decrypts the contents of <em>main.ini</em> into the final stage. The final stage then decrypts contents of <em>domain.ini</em> to obtain active C2 and perform other activities as documented.</p><p></p><p>As a unique anti-analysis trap, Starslord ensures that the .tmp and.ps1 files have the same random name. When an analyst dumps the decrypted code of the final stage into a file in the same folder as the .tmp and .ps1 files, the analyst could end up naming it something other than the original random name. When this dumped code is run from such differently named file on the disk, a function named <em>checkUniverse</em> returns the value 1, and the analyst gets trapped:</p><p></p><p><img src="https://www.microsoft.com/security/blog/wp-content/uploads/2020/01/4-sLoad-2-Starslord-anti-analysis-trap.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p>What comes next is not very desirable for a security researcher: being profiled by the malware operator.</p><p></p><p><img src="https://www.microsoft.com/security/blog/wp-content/uploads/2020/01/5-sLoad-2-Starslord-profile.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p>If the host belongs to a trapped analyst, the file downloaded from the backend in response to the exfiltration BITS job, if any, is discarded and overwritten by the following new tuple:</p><p></p><p style="margin-left: 20px"><em>hxxps://<active C2>/doc/updx2401.jpg*eval*-1</em></p><p></p><p>In this case, the value #1 of the tuple is a URL that’s known to the backend for being associated with trapped hosts. BITS jobs from trapped hosts don’t always get a response. If they do, it’s a copy of the dropper PowerShell script. This could be to create an illusion that the framework is being updated as the URL in value #1 of the tuple suggests (<em>hxxps://<active C2>/doc/updx2401.jpg</em>).</p><p></p><p>However, the string that is included in all successive exfiltration BITS jobs from such host is <em>“td”:”-1”,”tds”:”3”</em>, eventually leading to all such hosts getting grouped under value <em>“td”:”-1”</em>. This forms the group of all trapped machines that are never delivered a payload. For the rest, so far, evidence suggests that it has been delivering the file infector Ramnit intermittently.</p><p></p><p><span style="font-size: 18px"><strong>Durable protection against evolving malware</strong></span></p><p></p><p></p><p>sLoad’s multi-stage attack chain, use of mutated intermediate scripts and BITS as an alternative protocol, and its polymorphic nature in general make it a piece malware that can be quite tricky to detect. Now, it has evolved into a new and polished version Starlord, which retains sLoads most basic capabilities but does away with spyware capabilities in favor of new and more powerful features, posing even higher risk.</p><p></p><p>Starslord can track and group affected machines based on the stage of infection, which can allow for unique infection paths. Interestingly, given the distinct reference to a fictional superhero, these groups can be thought of as universes in a multiverse. In fact, the malware uses a function called <em>checkUniverse</em> to determine if a host is an analyst machine.</p><p></p><p><a href="https://www.microsoft.com/en-us/security/technology/threat-protection" target="_blank">Microsoft Threat Protection</a> defends customers from sophisticated and continuously evolving threats like sLoad using multiple industry-leading security technologies that protect various attack surfaces. Through signal-sharing across multiple Microsoft services, Microsoft Threat Protection delivers comprehensive protection for identities, endpoints, data, apps, and infrastructure.</p><p></p><p>On endpoints, <a href="https://www.microsoft.com/security/blog/2019/10/08/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks/" target="_blank">behavioral blocking and containment capabilities</a> in Microsoft Defender Advanced Threat Protection (<a href="https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp" target="_blank">Microsoft Defender ATP</a>) ensure durable protection against evolving threats. Through cloud-based machine learning and data science informed by threat research, Microsoft Defender ATP can spot and stop malicious behaviors from threats, both old and new, in real-time.</p><p></p><p> </p><p></p><p> </p><p></p><p><strong><em>Sujit Magar</em></strong></p><p></p><p><em>Microsoft Defender ATP Research Team</em></p><p></p><p>The post <a href="https://www.microsoft.com/security/blog/2020/01/21/sload-launches-version-2-0-starslord/" target="_blank">sLoad launches version 2.0, Starslord</a> appeared first on <a href="https://www.microsoft.com/security/blog/" target="_blank">Microsoft Security.</a></p><p><a href="https://www.microsoft.com/security/blog/" target="_blank"></a></p></blockquote><p></p>
[QUOTE="Bot, post: 854993, member: 52014"] sLoad, the PowerShell-based Trojan downloader notable for its almost exclusive use of the Background Intelligent Transfer Service (BITS) for malicious activities, has launched version 2.0. The new version comes on the heels of a [URL='https://www.microsoft.com/security/blog/2019/12/12/multi-stage-downloader-trojan-sload-abuses-bits-almost-exclusively-for-malicious-activities/']comprehensive blog[/URL] we published detailing the malware’s multi-stage nature and use of BITS as alternative protocol for data exfiltration and other behaviors. With the new version, sLoad has added the ability to track the stage of infection on every affected machine. Version 2.0 also packs an anti-analysis trick that could identify and isolate analyst machines vis-à-vis actual infected machines. We’re calling the new version “Starslord” based on strings in the malware code, which has clues indicating that the name “sLoad” may have been derived from a popular comic book superhero. [IMG]https://www.microsoft.com/security/blog/wp-content/uploads/2020/01/1-sLoad-2-Starslord-malware-code.png[/IMG] We discovered the new sLoad version over the holidays, in our continuous monitoring of the malware. New sLoad campaigns that use version 2.0 follow an attack chain similar to the previous version, with some updates, including dropping the dynamic list of command-and-control (C2) servers and upload of screenshots. [IMG]https://www.microsoft.com/security/blog/wp-content/uploads/2020/01/2-sLoad-2-Starslord-attack-chain.png[/IMG] [SIZE=5][B]Tracking the stage of infection[/B][/SIZE] With the ability to track the stage of infection, malware operators with access to the Starslord backend could build a detailed view of infections across affected machines and segregate these machines into different groups. The tracking mechanism exists in the final-stage, which, as with the old version, loops infinitely (with sleep interval of 2400 seconds, higher than the 1200 seconds in version 1.0). In line with the previous version, at every iteration of the final stage, the malware uses a download BITS job to exfiltrate stolen system information and receive additional payloads from the active C2 server. As we noted in our previous blog, creating a BITS job with an extremely large RemoteURL parameter that includes non-encrypted system information, as the old sLoad version did, stands out and is relatively easy to detect. However, with Starslord, the system information is encoded into Base64 data before being exfiltrated. The file received by Starslord in response to the exfiltration BITS job contains a tuple of three values separated by an asterisk (*): [LIST] [*]Value #1 is a URL to download additional payload using a download BITS job [*]Value #2 specifies the action, which can be any of the following, to be taken on the payload downloaded from the URL in value#1: [LIST] [*]“eval” – Run (possibly very large) PowerShell scripts [*]“iex” – Load and invoke (possibly small) PowerShell code [*]“run” – Download encoded PE file, decode using [I]exe[/I], and run the decoded executable [/LIST] [*]Value #3 is an integer that can signify the stage of infection for the machine [/LIST] Supplying the payload URL as part of value #1 allows the malware infrastructure to house additional payloads on different servers from the active C2 servers responding to the exfiltration BITS jobs. Value#3 is the most noteworthy component in this setup. If the final stage succeeds in downloading additional payload using the URL provided in value #1 and executing it as specified by the command in value #2, then a variable is used to form the string [I]“td”:”<value#3>”,”tds”:”3”[/I]. However, if the final stage fails to download and execute the payload, then the string formed is [I]“td”:”<value #3>”,”tds”:”4”[/I]. [IMG]https://www.microsoft.com/security/blog/wp-content/uploads/2020/01/3-sLoad-2-Starslord-infinite-loop.png[/IMG] The infinite loop ensures that the exfiltration BITS jobs are created at a fixed interval. The backend infrastructure can then pick up the pulse from each infected machine. However, unlike the previous version, Starslord includes the said string in succeeding iterations of data exfiltration. This means that the malware infrastructure is always aware of the exact stage of the infection for a specific affected machine. In addition, since the numeric value for value #3 in the tuple is always governed by the malware infrastructure, malware operators can compartmentalize infected hosts and could potentially set off individual groups on unique infection paths. For example, when responding to exfiltration BITS jobs, malware operators can specify a different URL (value #1) and action (value #2) for each numeric value for value #3 of the tuple, essentially deploying a different malware payload for different groups. [SIZE=5][B]Anti-analysis trap[/B][/SIZE] Starslord comes built-in with a function named [I]checkUniverse[/I], which is in-fact an anti-analysis trap. As mentioned in our previous blog post, the final stage of sLoad is a piece of PowerShell code obtained by decoding one of the dropped .ini files. The PowerShell code appears in the memory as a value assigned to a variable that is then executed using the Invoke-Expression cmdlet. Because this is a huge piece of decrypted PowerShell code that never hits the disk, security researchers would typically dump it into a file on the disk for further analysis. The sLoad dropper PowerShell script drops four files: [LIST] [*]a randomly named .tmp file [*]a randomly named .ps1 file [*]a [I]ini[/I] file [*]a [I]ini[/I] file [/LIST] It then creates a scheduled task to run the .tmp file every 3 minutes, similar to the previous version. The .tmp file is a proxy that does nothing but run the .ps1 file, which decrypts the contents of [I]main.ini[/I] into the final stage. The final stage then decrypts contents of [I]domain.ini[/I] to obtain active C2 and perform other activities as documented. As a unique anti-analysis trap, Starslord ensures that the .tmp and.ps1 files have the same random name. When an analyst dumps the decrypted code of the final stage into a file in the same folder as the .tmp and .ps1 files, the analyst could end up naming it something other than the original random name. When this dumped code is run from such differently named file on the disk, a function named [I]checkUniverse[/I] returns the value 1, and the analyst gets trapped: [IMG]https://www.microsoft.com/security/blog/wp-content/uploads/2020/01/4-sLoad-2-Starslord-anti-analysis-trap.png[/IMG] What comes next is not very desirable for a security researcher: being profiled by the malware operator. [IMG]https://www.microsoft.com/security/blog/wp-content/uploads/2020/01/5-sLoad-2-Starslord-profile.png[/IMG] If the host belongs to a trapped analyst, the file downloaded from the backend in response to the exfiltration BITS job, if any, is discarded and overwritten by the following new tuple: [INDENT][I]hxxps://<active C2>/doc/updx2401.jpg*eval*-1[/I][/INDENT] In this case, the value #1 of the tuple is a URL that’s known to the backend for being associated with trapped hosts. BITS jobs from trapped hosts don’t always get a response. If they do, it’s a copy of the dropper PowerShell script. This could be to create an illusion that the framework is being updated as the URL in value #1 of the tuple suggests ([I]hxxps://<active C2>/doc/updx2401.jpg[/I]). However, the string that is included in all successive exfiltration BITS jobs from such host is [I]“td”:”-1”,”tds”:”3”[/I], eventually leading to all such hosts getting grouped under value [I]“td”:”-1”[/I]. This forms the group of all trapped machines that are never delivered a payload. For the rest, so far, evidence suggests that it has been delivering the file infector Ramnit intermittently. [SIZE=5][B]Durable protection against evolving malware[/B][/SIZE] sLoad’s multi-stage attack chain, use of mutated intermediate scripts and BITS as an alternative protocol, and its polymorphic nature in general make it a piece malware that can be quite tricky to detect. Now, it has evolved into a new and polished version Starlord, which retains sLoads most basic capabilities but does away with spyware capabilities in favor of new and more powerful features, posing even higher risk. Starslord can track and group affected machines based on the stage of infection, which can allow for unique infection paths. Interestingly, given the distinct reference to a fictional superhero, these groups can be thought of as universes in a multiverse. In fact, the malware uses a function called [I]checkUniverse[/I] to determine if a host is an analyst machine. [URL='https://www.microsoft.com/en-us/security/technology/threat-protection']Microsoft Threat Protection[/URL] defends customers from sophisticated and continuously evolving threats like sLoad using multiple industry-leading security technologies that protect various attack surfaces. Through signal-sharing across multiple Microsoft services, Microsoft Threat Protection delivers comprehensive protection for identities, endpoints, data, apps, and infrastructure. On endpoints, [URL='https://www.microsoft.com/security/blog/2019/10/08/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks/']behavioral blocking and containment capabilities[/URL] in Microsoft Defender Advanced Threat Protection ([URL='https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp']Microsoft Defender ATP[/URL]) ensure durable protection against evolving threats. Through cloud-based machine learning and data science informed by threat research, Microsoft Defender ATP can spot and stop malicious behaviors from threats, both old and new, in real-time. [B][I]Sujit Magar[/I][/B] [I]Microsoft Defender ATP Research Team[/I] The post [URL='https://www.microsoft.com/security/blog/2020/01/21/sload-launches-version-2-0-starslord/']sLoad launches version 2.0, Starslord[/URL] appeared first on [URL='https://www.microsoft.com/security/blog/']Microsoft Security. [/URL] [/QUOTE]
Insert quotes…
Verification
Post reply
Top