A beforehand undocumented malware downloader has been noticed within the wild in phishing assaults to deploy credential stealers and different malicious payloads.
Dubbed “Saint Bot,” the malware is claimed to have first appeared on the scene in January 2021, with indications that it is underneath energetic improvement.
“Saint Bot is a downloader that appeared fairly not too long ago, and slowly is getting momentum. It was seen dropping stealers (i.e. Taurus Stealer) or additional loaders (example), but its design permits [it] to put it to use for distributing any type of malware,” stated Aleksandra “Hasherezade” Doniec, a risk intelligence analyst at Malwarebytes.
“Moreover, Saint Bot employs all kinds of methods which, though not novel, point out some stage of sophistication contemplating its comparatively new look.”
The an infection chain analyzed by the cybersecurity agency begins with a phishing e mail containing an embedded ZIP file (“bitcoin.zip”) that claims to be a bitcoin pockets when, actually, it is a PowerShell script underneath the guise of .LNK shortcut file. This PowerShell script then downloads the subsequent stage malware, a WindowsUpdate.exe executable, which, in flip, drops a second executable (InstallUtil.exe) that takes care of downloading two extra executables named def.exe and putty.exe.
Whereas the previous is a batch script answerable for disabling Home windows Defender, putty.exe accommodates the malicious payload that ultimately connects to a command-and-control (C2) server for additional exploitation.
The obfuscation current in every stage of the an infection, coupled with the anti-analysis methods adopted by the malware, permits the malware operators to use the gadgets they have been put in on with out attracting consideration.
Apart from performing “self protection checks” to confirm the presence of a debugger or a digital setting, Saint Bot is designed to not execute in Romania and choose nations throughout the Commonwealth of Impartial States (CIS), which incorporates Armenia, Belarus, Kazakhstan, Moldova, Russia, and Ukraine.
The listing of instructions supported by the malware embrace —
- downloading and executing different payloads retrieved from the C2 server
- updating the bot malware, and
- uninstalling itself from the compromised machine
Whereas these capabilities could appear very small, the truth that Saint Bot serves as a downloader for different malware makes it harmful sufficient.
Curiously, the payloads themselves are fetched from recordsdata hosted on Discord, a tactic that has turn out to be more and more widespread amongst risk actors, who’re abusing professional features of such platforms for C2 communications, evade safety, and ship malware.
“When recordsdata are uploaded and saved throughout the Discord CDN, they are often accessed utilizing the hardcoded CDN URL by any system, no matter whether or not Discord has been put in, just by searching to the CDN URL the place the content material is hosted,” researchers from Cisco Talos disclosed in an evaluation earlier this week, thus turning software program like Discord and Slack into profitable targets for internet hosting malicious content material.
“Saint Bot is one more tiny downloader,” Hasherezade stated. “[It is] not as mature as SmokeLoader, however it’s fairly new and presently actively developed. The creator appears to have some information of malware design, which is seen by the big selection of methods used. But, all of the deployed methods are well-known and fairly commonplace, [and] not displaying a lot creativity thus far.”