Malware analysis

Starslord 2.0 malware: What it is, how it works and how to prevent it | Malware spotlight

Daniel Dimov
May 7, 2020 by
Daniel Dimov

Introduction

The sLoad malware was discovered for the first time in 2018. It delivers various Trojans to the infected computers, including but not limited to the banking Trojans Ramnit, Gootkit and Ursnif. 

One of the most important characteristics of sLoad is its ability to gather information about the infected computers before delivering its malicious payload. For example, sLoad may collect information about the processes running on the infected machines, the existence of Citrix-related files and the existence of Outlook.

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

In January 2020, Microsoft published an article informing the general public about a new version of sLoad. Microsoft called the new version Starslord 2.0. In addition to the basic functionalities of sLoad, this advanced version includes new features which makes it more dangerous than its predecessor.

Similarly to sLoad, the operation of Starslord 2.0 can be divided in four stages: infecting Windows systems, collecting information about the infected systems, sending all collected information to a command-and-control server and, upon request of the malware creators, installing specific malware on the infected computers.

The purpose of this article is to examine the new features of Starslord 2.0 and provide recommendations on how to protect against it. 

The new features of Starslord 2.0

Starslord 2.0 differs from sLoad in three aspects: it has a new tracking feature providing information about the stages of the infection process, it uses WSF scripts instead of VB scripts during the infection process and it includes an anti-analysis trap. These three features will be discussed in more detail below.

The tracking features of Starslord 2.0 can only be seen as revolutionary. Starslord 2.0 is the first malware that has the capacity to track and group infected machines on the basis of their stage of infection. By using this feature, the operators of Starslord 2.0 are able to customize the commands they send in accordance with the stage of the infection of the targeted computers.

The anti-analysis trap included in Starslord 2.0 allows the malware creators to identify the hosts of security researchers, create profiles of them and avoid sending malicious payloads to those hosts. The malware calls this function checkUniverse.

The tracking functionality of Starslord 2.0, combined with the anti-analysis trap, makes Starslord 2.0 an excellent tool for fraudsters providing pay-per-install malware services. In the context of malware, the term “pay-per-install” refers to receiving payments for each successful installation of a specific malware application.

Protection against Starslord 2.0

Since Starslord 2.0 targets Windows systems, the information security tools developed by Microsoft can be used to prevent an infection with Starslord 2.0. For example, Microsoft Threat Protection has a good potential to protect organizations from threats like Starslord 2.0. Microsoft Threat Protection correlates security signals from different sources to enhance the security of infrastructure, endpoints, identities, cloud apps and user data.

Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP), a platform created with the aim of helping enterprise networks to identify and address advanced threats, can be particularly helpful against Starslord 2.0. It uses behavior-based machine learning to detect and analyze suspicious process behavior sequences and advanced attack techniques. The analysis is done in real-time through a cloud-based service. Once the analysis is completed (which usually takes milliseconds), the cloud-based service returns a verdict to the computer on which the suspicious behavior was observed and the computer blocks the threat.

To illustrate the operation of Microsoft Defender ATP, it is sufficient to explain how it stopped the spread of the Lokibot malware, a notorious form of malware aiming to steal sensitive information. The behavior-based machine learning of Microsoft Defender ATP succeeded to identify the behavior of the Lokibot malware at two different stages of the malware attack. 

The first stage was the time when Microsoft Defender ATP noticed the exploit. Immediately after spotting the attack, Microsoft Defender ATP sent instructions to the infected computers, ordering them to block the attack. The second stage of the attack related to attempts to initiate process hollowing. The term “process hollowing” can be defined as loading legitimate processes in a system with the sole aim to camouflage malicious code. In cases where the attack progressed to the second stage, Microsoft Defender ATP blocked the process hollowing in order to prevent the further development of the attack.

Conclusion

Starslord 2.0, an advanced version of sLoad, provides its creators with the opportunity to install malware and receive payments on a pay-per-install basis. The underestimation of the risks posed by Starslord 2.0 may lead to the installation of various banking Trojans on the infected computers. Such Trojans attempt to collect, without authorization, credentials of online banking customers. The anti-analysis trap included in the malware makes it difficult for detection by security analysts. 

The best measures to identify and avoid infection with Starslord 2.0 need to include complex behavior-based machine learning processes, such as those used by Microsoft Defender ATP. 

 

Sources

  1. Microsoft discovers new sLoad 2.0 (Starslord) malware, ZDNet
  2. Guilmette, A., Zanre, M., Lee, Y., “Microsoft 365 Certified Fundamentals MS-900 Exam Guide: Expert tips and techniques to pass the MS-900 certification exam on the first attempt,” Packt Publishing Ltd, 2020
  3. Kleymenov, A., Thabet, A., “Mastering Malware Analysis: The complete malware analyst's guide to combating malicious software, APT, cybercrime, and IoT attacks,” June 2019, Packt Publishing Ltd.
  4. sLoad launches version 2.0, Starslord, Microsoft
  5. sLoad malware gang returns: Microsoft detects quickly revamped 2.0 version, International Business Times
  6. Microsoft Defender Advanced Threat Protection, Microsoft
  7. Tackling phishing with signal-sharing and machine learning, Microsoft
  8. sLoad Banking Trojan Downloader Displays Sophisticated Recon and Targeting, Threatpost
  9. Stewart, J., Chapple, M., Gibson, D., “CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide,” John Wiley & Sons, 11 September 2015
Daniel Dimov
Daniel Dimov

Dr. Daniel Dimov is the founder of Dimov Internet Law Consulting (www.dimov.pro), a legal consultancy based in Belgium. Daniel is a fellow of the Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Society (ISOC). He did traineeships with the European Commission (Brussels), European Digital Rights (Brussels), and the Institute for EU and International law “T.M.C. Asser Institute” (The Hague). Daniel received a Ph.D. in law from the Center for Law in the Information Society at Leiden University, the Netherlands. He has a Master's Degree in European law (The Netherlands), a Master's Degree in Bulgarian Law (Bulgaria), and a certificate in Public International Law from The Hague Academy of International law.