January 28, 2020

The Rise of StarsLord: A New Malware for a New Decade

Devices and operating systems change over time, and as they do, some of the malware floating around the web becomes obsolete, unable to infiltrate new defenses or drop their payloads on more complex machines. Thus, every few years, malware creators need to make a decision: allow outdated malware to die or update it for the next generation?

Just as movie studios seem eager to revamp old franchises for young audiences, so do malware authors like to revitalize outdated malware for new devices. Yet, instead of an emotional female Jedi or a spunky, caffeine-addled Pikachu, device users have to be wary of StarsLord, a powerful loader-type malware that is the latest malware upgrade to pose a threat.

What Is StarsLord?

Before we can tackle StarsLord’s unique properties, it is important to grasp the category of malware that this attack falls into. Loader-type malware is like the aircraft carriers of malicious applications: While they can have weapons built-in, they more often house other vehicles used for the attack.

In other words, loaders are designed to sneak onto a target device and then deploy all sorts of other malicious executables, usually sourced from an attacker-controlled server. Sometimes, loaders are described as remote-access Trojans because they rarely seem dangerous to legitimate users and they give attackers control over a compromised device — which is what brings us back to StarsLord.

StarsLord, also called StarsLoad and sLoad for short, is a PowerShell-based Trojan, meaning it coopts Windows’s PowerShell user interface, which automates critical computing tasks and assists in configuration management.

Essentially, PowerShell is a powerful administrative tool for a device, and an attacker who controls it can do what they like — but this isn’t a particularly new feature for malware. In fact, in its attack chain, StarsLord isn’t that different from its predecessors: It installs itself on a system, connects to its remote server and downloads additional malware. What is revolutionary is how StarsLord avoids getting caught.

StarsLord takes advantage of another legitimate Windows component, called Background Intelligent Transfer Service (BITS) to transfer the malicious files in the background, without running any applications. Plus, StarsLord downloads its PowerShell script using a Windows Script File and a .jpg extension. Thus, some antivirus services struggle to identify the malware as a threat.

What’s more, StarsLord boasts all sorts of features designed to overwhelm and devastate a user’s security measures, to include:

  • Geofencing, or restricting access to content based on a user’s location
  • Tracking, or giving the attacker information about the stage of the infection
  • Trapping, or isolating analyst machines to thwart deeper understanding of the malware’s processes

With all these advanced features, StarsLord certainly seems like an important malware evolution worthy of the new decade — but is there anything users can do to stay out of its clutches?

How Can Users Stop StarsLord?

Loaders are increasing in complexity and prevalence thanks to their power and flexibility to conform to an attacker’s intentions. However, because loaders don’t offer the same experience to each victim — and because loaders’ processes aren’t as easy for tech-amateurs to understand — users aren’t as familiar with loaders as they are with other malware types, like ransomware. Unfortunately, this means that not much money and effort are currently allocated to thwarting this rising threat.

Fortunately, StarsLord has one crucial thing in common with the other, more rudimentary malware that came before: how it gets onto user systems. StarsLord always arrives on user devices in an email, with a ZIP attachment.

The content of the email is personalized to the user’s language and might include the user’s name and addresses, to inspire trust and encourage downloading the attached file. Therefore, users can steer clear of StarsLord by adhering to one of the most important rules of cyber hygiene: Don’t interact with suspicious messages. Additionally, comprehensive antivirus protection should be able to identify the threat in the email before users make any mistakes.

Perhaps the most important lesson from StarsLord is this: Even if a remake doesn’t make the news, it could be making waves in the industry. StarsLord and other loader-type malware are likely to evolve dramatically in the coming months and years, becoming perhaps some of the most dangerous threats on the web. By staying abreast of these early developments, users can know what to look for and how to stay safe, even as the tech landscape grows and shifts.

About the author 

Imran Uddin

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}