A PowerShell malware downloader known as sLoad is conducting targeted, geofenced attacks across the U.K., Italy and Canada.

According to researchers at Proofpoint, the most recent versions of sLoad — which has been active since at least May 2018 — targeted victims using sophisticated, multistep geodetection and fencing.

Once the ideal targets were identified, the attacks delivered the Ramnit banking Trojan to compromise accounts and steal financial data. Phishing emails were the infection vector of choice for these campaigns, with attackers preferring shipping or package notifications that included customized user names and other convincing details.

A Preference for Location Restriction and Reconnaissance

Target value now trumps sheer volume in malware campaigns. As noted by Proofpoint, the makers of sLoad performed multiple checks to ensure that targeted computers were within their preferred geographic area.

During five separate steps — the initial download of zipped LNK files, LNK files downloading PowerShell, PowerShell downloading sLoad, sLoad communicating with its command-and-control (C&C) server, and sLoad receiving tasks or commands — the malware performed a source IP check to verify the user’s location. During the initial PowerShell download and sLoad test receiving stages, the malware added additional “header fencing” to ensure that requests and Background Intelligent Transfer Service (BITS) data were identical.

While this campaign currently targets U.K., Canadian and Italian victims, minor geofencing adjustments could shift the delivery focus to other lucrative markets, making the threat a concern for companies everywhere.

Even when infected with sLoad, banking Trojans such as Ramnit aren’t installed immediately. Instead, this PowerShell malware gathers data about current processes, examines the use of Outlook and Citrix-related files, checks the Domain Name System (DNS) cache for targeted bank domains and takes screenshots that are returned to its C&C server. Once geographic location and favorable device environment are confirmed, sLoad delivers final payloads such as Ramnit, Gootkit or Ursnif.

How to Fend Off PowerShell Malware Attacks

The sLoad PowerShell malware includes a stealthy attack mechanism, customized phishing hooks and top-tier geofencing. Despite it’s sophisticated nature, however, the attack still relies on user action to jump-start the infection process. As a result, it’s possible to boost corporate defenses with the right email strategy. Security experts recommend conducting phishing simulations to identify weak points and implementing a layered defense approach that includes perimeter protection, managed security services (MSS) and improved employee awareness.

When it comes to the specific use of PowerShell, a recent report from IBM X-Force Incident Response and Intelligence Services (IRIS) noted that attacks are on the rise as threat actors recognize the value of executing code directly into memory. In these cases, better security starts with upgrading to PowerShell v5 to leverage its logging capabilities, turning on transcription logs to capture full commands, and monitoring for key events such as 4688 (new process creation) and 7045 (new service installed).

Source: Proofpoint

More from

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Deploying Security Automation to Your Endpoints

Globally, data is growing at an exponential rate. Due to factors like information explosion and the rising interconnectivity of endpoints, data growth will only become a more pressing issue. This enormous influx of data will invariably affect security teams. Faced with an enormous amount of data to sift through, analysts are feeling the crunch. Subsequently, alert fatigue is already a problem for analysts overwhelmed with security tasks. With the continued shortage of qualified staff, organizations are looking for automation to…

Worms of Wisdom: How WannaCry Shapes Cybersecurity Today

WannaCry wasn't a particularly complex or innovative ransomware attack. What made it unique, however, was its rapid spread. Using the EternalBlue exploit, malware could quickly move from device to device, leveraging a flaw in the Microsoft Windows Server Message Block (SMB) protocol. As a result, when the WannaCry "ransomworm" hit networks in 2017, it expanded to wreak havoc on high-profile systems worldwide. While the discovery of a "kill switch" in the code blunted the spread of the attack and newly…

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…