sLoad PowerShell Trojan

First observed in January 2017, sLoad is aPowerShell-based downloader trojan targeting organisations throughout WesternEurope and North America. Believed to have been created by the TA554 advancedpersistent threat group, it has been used to deliver a wide range of malwareincluding Ramnit, Ursnif, and Gootkit.

sLoad is delivered via LNK files distributed through large scale phishing campaigns. When opened, these LNK files download an initial PowerShell script,which then downloads sLoad and a list of command and control (C2) servers.sLoad will then collect system and user information before connecting to a C2server and waiting for further commands.

Once installed, sLoad can load and install secondary payloads sent from the C2server. It will also take screenshots, search the DNS cache for specificdomains and check for the presence of ICA files on the system.

Indicators of Compromise

C&C:
https://invasivespecies.us/htmlTicket-access/ticket-T559658356711702
https://davidharvill.org/htmlTicket-access/ticket-V081650502356
https://schwerdt.org/htmlTicket-access/ticket-823624156690858
https://hotkine.com/otki2/kine
https://lookper.eu/userfiles/p2.txt
https://lookper.eu/userfiles/h2.txt
https://maleass.eu/images//img.php?ch=1
https://informanetwork.com/update/thrthh.txt
https://lauriegfisher.com/laura/fisha
Download URL
https://agencymap.org/account_order/customer-receipt-5324C8273
https://bargainhometheater.com/account_order/customer-receipt-1SJ24554
https://ceelya.com/account_order/customer-receipt-74X1T440
https://chadcollier.org/account_order/customer-receipt-6948J2849
https://dotproject.org/account_order/customer-receipt-4EH6X9045
https://lahesmuda.com/account_order/customer-receipt-0CSX3166
https://picplace.co/account_order/customer-receipt-5DGOP6815
https://serpslicer.com/account_order/customer-receipt-09MN2E3507
https://siteradar.com/account_order/customer-receipt-22IZ323
https://subjectivist.com/account_order/customer-receipt-72C5J04395
https://teamscoff.com/account_order/customer-receipt-299H2888
https://teamscoff.com/account_order/customer-receipt-3Y1197183
https://twoduelists.com/account_order/customer-receipt-7SXV1176
https://westbayinstruments.com/account_order/customer-receipt-97B5SY839
Domain:
xohrikvjhiu.eu
IP:
91.218.127.183
185.197.75.35

Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: