A multi-stage downloader trojan dubbed sLoad uses BITS to steal data from compromised systems. Attackers use sLoad to evade anti-malware protections and security monitoring that may not detect activity using these unconventional protocols.
Microsoft’s Defender ATP Research Team has observed the sLoad trojan uses a fileless technique called “living off the land.” In other words, these types of attacks and malware will abuse legitimate tools like BITS already running on systems.
Background Intelligent Transfer Service (BITS) is a component of Windows operating systems used to facilitate file transfers between systems using idle network bandwidth.
“Using exfiltrated information, attackers can identify what security solutions are running and test payloads before they are sneaked into the compromised system or, worse, high-priced targets,” the Microsoft team warned.
Furthermore, sLoad uses scheduled tasks to run malware every three minutes and then compromises infected systems with more malicious payloads.
sLoad usually uses spear-phishing emails and cascaded scripts as part of evading detection. For instance, one script will download another script, which in turn will run another script multiple times until the final payload is delivered.
In the most recent attacks, sLoad now uses VBScript as a proxy to build and then run a PowerShell script named rr.ps1. The embedded encrypted scripts will be used for communication to command-and-control (C2) systems.
You can read more about how sLoad abuses BITS and pulls off stealthy attacks in the Microsoft blog post.
Microsoft recommends organizations use solutions like Microsoft Defender ATP’s antivirus client and cloud solution to help stop these types of malware threats.