sLoad PowerShell Trojan

First observed in January 2017, sLoad is aPowerShell-based downloader trojan targeting organisations throughout WesternEurope and North America. Believed to have been created by the TA554 advancedpersistent threat group, it has been used to deliver a wide range of malwareincluding Ramnit, Ursnif, and Gootkit.

sLoad is delivered via LNK files distributed through large scale phishing campaigns. When opened, these LNK files download an initial PowerShell script,which then downloads sLoad and a list of command and control (C2) servers.sLoad will then collect system and user information before connecting to a C2server and waiting for further commands.

Once installed, sLoad can load and install secondary payloads sent from the C2server. It will also take screenshots, search the DNS cache for specificdomains and check for the presence of ICA files on the system.

Indicators of Compromise

Download URL

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: