Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

The SLoad Powershell malspam is expanding to Italy

A new malspam campaign hit Italy in this days, threat actors are spreading a new variant of a powerful downloader named sLoad. sLoad is a sophisticated script, used in the past to deliver different types of malware such as the dreaded “Ramnit banker”. “In the past months CERT-Yoroi observed an emerging attack pattern targeting its […]

sLoad

A new malspam campaign hit Italy in this days, threat actors are spreading a new variant of a powerful downloader named sLoad.

sLoad is a sophisticated script, used in the past to deliver different types of malware such as the dreaded “Ramnit banker”.

“In the past months CERT-Yoroi observed an emerging attack pattern targeting its constituency. These series of malicious email messages shared common techniques may be likely related to a single threat group starting its operation against the Italian cyber panorama.” reads the analysis published by Yoroi.

“It is still not clear if these attack attempts may be originated by a any well established cybercrime group modifying its TTP or a completely new one, however CERT-Yoroi is tracking this threat with the internal codename “Sload-ITA” (TH-163) .”

sLoad implements a broad range of capabilities including the ability to take screenshots, read the list of running process, exfiltrate DNS cache, exfiltrate outlook e-mail and other typical spyware functionalities.

As usual, it comes as a zip file attached to an e-mail, this file contains two elements:

  1. A fake shortcut to directory (.lnk file);
  2. Legitimate image flagged as hidden.

It is strange that the image is not used into the malware’s workflow, but the link file starts a complex infection chain, as shown in the following figure:

sLoad

First of all, the .lnk file runs a first PowerShell activator, which searches a file named: “documento-aggiornato-novembre-*.zip”.

Then, if the .zip file exists, the PowerShell script extracts and runs a portion of a code present at the end of the same file. Once the PowerShell script has been extracted, it runs another Powershell script that acts as a subsequent dropper in the attack chain.

This ps code abuses the BitsTransfer windows functionality to download two important files: config.ini and web.ini that contains the final sLoad stage.

The malicious code gains persistence using a task defined into System Task Scheduler that runs a Visual Basic script.

At the end, when sLoad is started, it periodically takes screenshots, gathers system’s information and sends other data to the C2 .

Technical details, including IoCs and Yara Rules, about the sLoad malware are available on the Yoroi blog.

https://blog.yoroi.company/research/the-sload-powershell-threat-is-expanding-to-italy/

UPDATE 21 November 2018

The same threat was also analyzed by another Italian cybersecurity firm, Certego who published an interesting analysis of the threat on Friday. Technical details of Certego analysis are reported at the following link

http://www.certego.net/en/news/sload-hits-italy-unveil-the-power-of-powershell-as-a-downloader/

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – malspam, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]