{"id":90477,"date":"2020-01-21T10:00:39","date_gmt":"2020-01-21T18:00:39","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/?p=90477"},"modified":"2023-05-15T23:09:50","modified_gmt":"2023-05-16T06:09:50","slug":"sload-launches-version-2-0-starslord","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/01\/21\/sload-launches-version-2-0-starslord\/","title":{"rendered":"sLoad launches version 2.0, Starslord"},"content":{"rendered":"

sLoad, the PowerShell-based Trojan downloader notable for its almost exclusive use of the Background Intelligent Transfer Service (BITS) for malicious activities, has launched version 2.0. The new version comes on the heels of a comprehensive blog<\/a> we published detailing the malware\u2019s multi-stage nature and use of BITS as alternative protocol for data exfiltration and other behaviors.<\/p>\n

With the new version, sLoad has added the ability to track the stage of infection on every affected machine. Version 2.0 also packs an anti-analysis trick that could identify and isolate analyst machines vis-\u00e0-vis actual infected machines.<\/p>\n

We\u2019re calling the new version \u201cStarslord\u201d based on strings in the malware code, which has clues indicating that the name “sLoad” may have been derived from a popular comic book superhero.<\/p>\n

\"\"<\/p>\n

We discovered the new sLoad version over the holidays, in our continuous monitoring of the malware. New sLoad campaigns that use version 2.0 follow an attack chain similar to the previous version, with some updates, including dropping the dynamic list of command-and-control (C2) servers and upload of screenshots.<\/p>\n

\"\"<\/p>\n

Tracking the stage of infection<\/h2>\n

With the ability to track the stage of infection, malware operators with access to the Starslord backend could build a detailed view of infections across affected machines and segregate these machines into different groups.<\/p>\n

The tracking mechanism exists in the final-stage, which, as with the old version, loops infinitely (with sleep interval of 2400 seconds, higher than the 1200 seconds in version 1.0). In line with the previous version, at every iteration of the final stage, the malware uses a download BITS job to exfiltrate stolen system information and receive additional payloads from the active C2 server.<\/p>\n

As we noted in our previous blog, creating a BITS job with an extremely large RemoteURL parameter that includes non-encrypted system information, as the old sLoad version did, stands out and is relatively easy to detect. However, with Starslord, the system information is encoded into Base64 data before being exfiltrated.<\/p>\n

The file received by Starslord in response to the exfiltration BITS job contains a tuple of three values separated by an asterisk (*):<\/p>\n