November 1, 2018 By Douglas Bonderud 2 min read

A PowerShell malware downloader known as sLoad is conducting targeted, geofenced attacks across the U.K., Italy and Canada.

According to researchers at Proofpoint, the most recent versions of sLoad — which has been active since at least May 2018 — targeted victims using sophisticated, multistep geodetection and fencing.

Once the ideal targets were identified, the attacks delivered the Ramnit banking Trojan to compromise accounts and steal financial data. Phishing emails were the infection vector of choice for these campaigns, with attackers preferring shipping or package notifications that included customized user names and other convincing details.

A Preference for Location Restriction and Reconnaissance

Target value now trumps sheer volume in malware campaigns. As noted by Proofpoint, the makers of sLoad performed multiple checks to ensure that targeted computers were within their preferred geographic area.

During five separate steps — the initial download of zipped LNK files, LNK files downloading PowerShell, PowerShell downloading sLoad, sLoad communicating with its command-and-control (C&C) server, and sLoad receiving tasks or commands — the malware performed a source IP check to verify the user’s location. During the initial PowerShell download and sLoad test receiving stages, the malware added additional “header fencing” to ensure that requests and Background Intelligent Transfer Service (BITS) data were identical.

While this campaign currently targets U.K., Canadian and Italian victims, minor geofencing adjustments could shift the delivery focus to other lucrative markets, making the threat a concern for companies everywhere.

Even when infected with sLoad, banking Trojans such as Ramnit aren’t installed immediately. Instead, this PowerShell malware gathers data about current processes, examines the use of Outlook and Citrix-related files, checks the Domain Name System (DNS) cache for targeted bank domains and takes screenshots that are returned to its C&C server. Once geographic location and favorable device environment are confirmed, sLoad delivers final payloads such as Ramnit, Gootkit or Ursnif.

How to Fend Off PowerShell Malware Attacks

The sLoad PowerShell malware includes a stealthy attack mechanism, customized phishing hooks and top-tier geofencing. Despite it’s sophisticated nature, however, the attack still relies on user action to jump-start the infection process. As a result, it’s possible to boost corporate defenses with the right email strategy. Security experts recommend conducting phishing simulations to identify weak points and implementing a layered defense approach that includes perimeter protection, managed security services (MSS) and improved employee awareness.

When it comes to the specific use of PowerShell, a recent report from IBM X-Force Incident Response and Intelligence Services (IRIS) noted that attacks are on the rise as threat actors recognize the value of executing code directly into memory. In these cases, better security starts with upgrading to PowerShell v5 to leverage its logging capabilities, turning on transcription logs to capture full commands, and monitoring for key events such as 4688 (new process creation) and 7045 (new service installed).

Source: Proofpoint

More from

ChatGPT 4 can exploit 87% of one-day vulnerabilities: Is it really that impressive?

2 min read - After reading about the recent cybersecurity research by Richard Fang, Rohan Bindu, Akul Gupta and Daniel Kang, I had questions. While initially impressed that ChatGPT 4 can exploit the vast majority of one-day vulnerabilities, I started thinking about what the results really mean in the grand scheme of cybersecurity. Most importantly, I wondered how a human cybersecurity professional’s results for the same tasks would compare.To get some answers, I talked with Shanchieh Yang, Director of Research at the Rochester Institute…

ONCD releases request for information: Open-source software security

3 min read - Open-source software is a collective partnership across the development community that requires both private and public buy-in. However, securing open-source software can be tricky. With so many different people working on the coding, security measures are often overlooked, increasing the chances that a vulnerability will fall through the cracks and be exploited. The Open-Source Software Security Initiative (OS31) aims to provide governance over open-source security processes. After the Log4Shell vulnerability, securing open-source software became a top priority for the federal…

How cyber criminals are compromising AI software supply chains

3 min read - With the adoption of artificial intelligence (AI) soaring across industries and use cases, preventing AI-driven software supply chain attacks has never been more important.Recent research by SentinelOne exposed a new ransomware actor, dubbed NullBulge, which targets software supply chains by weaponizing code in open-source repositories like Hugging Face and GitHub. The group, claiming to be a hacktivist organization motivated by an anti-AI cause, specifically targets these resources to poison data sets used in AI model training.No matter whether you use…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today