SLoad Trojan Employs BITS
Analysis of the trojan sLoad shows the growing trend of advanced malware that successfully evades detection and carries out malicious activities. SLoad is a PowerShell downloader malware that is known for its reconnaissance tactics and targeting efforts. What makes it unique is an almost exclusive use of a legitimate Windows file transfer utility for stealing data, payload fetching and command-and-control communications. According to Sujit Magar, an APT researcher with Microsoft, "SLoad is just one example of the increasingly more prevalent threats that can perform most of their malicious activities by simply living off the land."
SLoad was first spotted in May 2018. SLoad has been seen delivering a variety of payloads, including the Ramnit and Ursnif banking trojans, Gootkit, DarkVNC and PsiXBot. It uses the Background Intelligent Transfer Service , or BITS, a component of Windows as its attack method.
SLoad spies on system information and learning about a target before delivering its payload. the malware gathers information about the infected system, including a list of running processes, the presence of Outlook, and the presence of Citrix-related files. It will also take screenshots of the target machine. By using loaders that can also assess infected systems, hackers can select their targets wisely and improve the quality of infected hosts.
sLoad i a dangerous threat that's equipped with spyware capabilities, infiltrative payload delivery and data exfiltration capabilities. While it drops some malware files during installation, its use of only BITS jobs to perform most of its harmful behaviors and scheduled tasks for persistence achieves an almost fileless presence on compromised machines.