A formerly undocumented malware downloader has been noticed in the wild in phishing attacks to deploy credential stealers and other destructive payloads.
Dubbed “Saint Bot,” the malware is mentioned to have initial appeared on the scene in January 2021, with indications that it really is below energetic growth.
“Saint Bot is a downloader that appeared fairly not too long ago, and slowly and gradually is having momentum. It was observed dropping stealers (i.e. Taurus Stealer) or further loaders (illustration), yet its style and design will allow [it] to employ it for distributing any variety of malware,” stated Aleksandra “Hasherezade” Doniec, a risk intelligence analyst at Malwarebytes.
“Also, Saint Bot employs a vast range of tactics which, whilst not novel, reveal some degree of sophistication contemplating its relatively new visual appeal.”
The an infection chain analyzed by the cybersecurity organization commences with a phishing e-mail made up of an embedded ZIP file (“bitcoin.zip”) that statements to be a bitcoin wallet when, in point, it’s a PowerShell script less than the guise of .LNK shortcut file. This PowerShell script then downloads the up coming stage malware, a WindowsUpdate.exe executable, which, in flip, drops a 2nd executable (InstallUtil.exe) that can take care of downloading two much more executables named def.exe and putty.exe.
When the former is a batch script liable for disabling Home windows Defender, putty.exe includes the destructive payload that ultimately connects to a command-and-control (C2) server for additional exploitation.
The obfuscation present in every single phase of the infection, coupled with the anti-investigation methods adopted by the malware, permits the malware operators to exploit the gadgets they were put in on with out attracting awareness.
Aside from executing “self protection checks” to verify the presence of a debugger or a digital setting, Saint Bot is developed to not execute in Romania and select nations around the world in just the Commonwealth of Independent States (CIS), which incorporates Armenia, Belarus, Kazakhstan, Moldova, Russia, and Ukraine.
The record of instructions supported by the malware contain —
- downloading and executing other payloads retrieved from the C2 server
- updating the bot malware, and
- uninstalling itself from the compromised device
When these capabilities might look incredibly compact, the simple fact that Saint Bot serves as a downloader for other malware tends to make it harmful more than enough.
Apparently, the payloads are on their own fetched from documents hosted on Discord, a tactic that has turn into ever more common between risk actors, who are abusing authentic functions of this sort of platforms for C2 communications, evade stability, and deliver malware.
“When information are uploaded and stored within just the Discord CDN, they can be accessed utilizing the hardcoded CDN URL by any process, regardless of whether or not Discord has been set up, simply just by searching to the CDN URL the place the content material is hosted,” researchers from Cisco Talos disclosed in an examination before this 7 days, consequently turning software package like Discord and Slack into worthwhile targets for hosting malicious content.
“Saint Bot is nonetheless yet another little downloader,” Hasherezade said. “http://thehackernews.com/”[It is] not as mature as SmokeLoader, but it is pretty new and at the moment actively created. The creator appears to be to have some information of malware style and design, which is visible by the broad range of tactics applied. Yet, all the deployed techniques are effectively-recognized and rather conventional, [and] not displaying much creativeness so far.”