After the secrets of the secrets were thoroughly revealed last month in a Microsoft exposé report, the operators of the sLoad malware released an updated 2.0 version earlier this month.

This new sLoad version (also known as Starslord) does not change much, but the fact that the sLoad gang sent a new version in less than a month after the operations were exposed shows the speed with which malware authors often work.

The sLoad malware operation

The sLoad malware is not something new. It is a malware strain that has been around for years. The malware is what someone would call a “malware downloader” or “malware dropper.”

The main purpose of sLoad is to infect Windows PCs, collect information about the infected system, send this information to a Command & Control server (C&C), and then wait for instructions for downloading and installing a second malware payload.

The malware exists to serve as a delivery system for more powerful malware strains and to help the sLoad gang make money by providing room for pay per installation for other cyber criminal operations (for example; such as the Ramnit banking trojan gang).

Malware downloaders such as sLoad are thirteen in a dozen. However, according to Microsoft, sLoad was one of the few malware downloaders that stood out due to an unnecessary level of sophistication and the use of non-standard techniques.

The BITS obsession of sLoad

According to a December 2019 Microsoft report, sLoad was one of the few malware strains that ported its entire host-server communication systems to the Windows BITS service.

For those unfamiliar with the term, Windows BITS is the standard system that Microsoft uses to send Windows updates to users around the world. The BITS service detects when the user is not using his network connection and uses this downtime to download Windows updates.

But the BITS service is not fully reserved for the Windows Update process. Other apps can use BITS and use it to schedule tasks and network operations that occur when the computer’s network connection is not active.

The loading authors seem to be some of the biggest fans of this service. Microsoft says the entire network stack of the malware is configured to work through the Windows BITS service of an infected host.

The malware would set up BITS scheduled tasks that would be performed at regular intervals. These tasks would be used to talk to his C&C server, download secondary malware payloads and even send data back from an infected host to the C&C server (sLoad v1.0 included the ability to take screenshots of an infected host) .

While other malware – such as Win32 / StealthFalcon, Zlob.Q, UBoat RAT, Rustock and Linkoptimizer – also used BITS, sLoad relied on it for almost all communication, making it a unique mention on the malware landscape.

In addition to using silent BITS communication, sLoad also relied heavily on the PowerShell scripting language, which it used to support a “fileless execution” mode that ran completely within RAM without any artifacts on disk to place.

A need to change the modus operandi

Microsoft’s report last month exposed the possibilities of sLoad and raised the awareness of cyber security vendors about the modus operandi of the malware.

Such exposures are dangerous for malware gangs because they can mean that their malicious payloads are detected more often. In most cases, most malware gangs or re-tool tasks upgrade, hoping to stay one step ahead of cyber security companies.

The loading gang did exactly this. Within a few weeks they renewed their code and changed things, from this year a new sLoad v2.0 appeared.

However, if the sLoad gang wanted to stay one step ahead of Microsoft, it didn’t work because the company published an exposé about the new v2.0 at the same depth as v1.0 last month.

According to Sujit Magar, a malware analyst part of the Microsoft Defender ATP Research Team, sLoad 2.0 has remained largely the same, it still uses BITS exclusively for all network activities, it still relies on PowerShell scripts for execution without files and it works still as a malware downloader for other criminal groups.

The only thing that changed was the use of WSF scripts instead of VB scripts during the infection process, the addition of controls to detect if malware analysts are looking at the code and the rollout of a new system that stages the stages of a sLoad infection follows.

Image: Microsoft

Of these three new additions, the last is the newest, not seen in other types of malware. This new mechanism works by adding a small numeric value at the end of a BITS task that communicates with the C&C server.

The numeric value tells the sLoad team the stage of a sLoad infection. The purpose of this function can vary. Magar believes this can be used to organize sLoad hosts into subgroups and then send commands to specific sLoad infected hosts.

Another purpose might be to add this feature for debugging purposes, in case the new sLoad version crashes or stops at a certain point, allowing the sLoad team to send commands to the crashed sLoad infections and fix any bugs .

Anyway, Microsoft seems to be aware of the recent sLoad updates and the latest technical report should help other suppliers to keep up with this new version.