SBN

Starslord 2.0 malware: What it is, how it works and how to prevent it | Malware spotlight

Introduction

The sLoad malware was discovered for the first time in 2018. It delivers various Trojans to the infected computers, including but not limited to the banking Trojans Ramnit, Gootkit and Ursnif. 

One of the most important characteristics of sLoad is its ability to gather information about the infected computers before delivering its malicious payload. For example, sLoad may collect information about the processes running on the infected machines, the existence of Citrix-related files and the existence of Outlook.

In January 2020, Microsoft published an article informing the general public about a new version of sLoad. Microsoft called the new version Starslord 2.0. In addition to the basic functionalities of sLoad, this advanced version includes new features which makes it more dangerous than its predecessor.

Similarly to sLoad, the operation of Starslord 2.0 can be divided in four stages: infecting Windows systems, collecting information about the infected systems, sending all collected information to a command-and-control server and, upon request of the malware creators, installing specific malware on the infected computers.

The purpose of this article is to examine the new features of Starslord 2.0 and provide recommendations on how to protect against it. 

The new features of Starslord 2.0

Starslord 2.0 differs from sLoad in three aspects: it has a new tracking feature providing information about the stages of the infection process, it uses WSF scripts instead of VB scripts during the infection process and it includes an anti-analysis trap. These three features will be discussed in more detail below.

The tracking features of Starslord 2.0 can only be seen as revolutionary. Starslord 2.0 is the first malware that has the capacity to track and group infected machines on the basis of their stage of infection. By using this feature, the (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Daniel Dimov. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/S-ZO5vAmZBU/