A beforehand undocumented malware downloader has been noticed within the wild in phishing assaults to deploy credential stealers and different malicious payloads.
Dubbed “Saint Bot,” the malware is alleged to have first appeared on the scene in January 2021, with indications that it is beneath lively growth.
“Saint Bot is a downloader that appeared fairly not too long ago, and slowly is getting momentum. It was seen dropping stealers (i.e. Taurus Stealer) or additional loaders (example), but its design permits [it] to put it to use for distributing any type of malware,” mentioned Aleksandra “Hasherezade” Doniec, a menace intelligence analyst at Malwarebytes.
“Moreover, Saint Bot employs all kinds of methods which, though not novel, point out some stage of sophistication contemplating its comparatively new look.”
The an infection chain analyzed by the cybersecurity agency begins with a phishing e mail containing an embedded ZIP file (“bitcoin.zip”) that claims to be a bitcoin pockets when, in actual fact, it is a PowerShell script beneath the guise of .LNK shortcut file. This PowerShell script then downloads the following stage malware, a WindowsUpdate.exe executable, which, in flip, drops a second executable (InstallUtil.exe) that takes care of downloading two extra executables named def.exe and putty.exe.
Whereas the previous is a batch script answerable for disabling Home windows Defender, putty.exe incorporates the malicious payload that ultimately connects to a command-and-control (C2) server for additional exploitation.
The obfuscation current in every stage of the an infection, coupled with the anti-analysis methods adopted by the malware, permits the malware operators to use the units they had been put in on with out attracting consideration.
In addition to performing “self protection checks” to confirm the presence of a debugger or a digital atmosphere, Saint Bot is designed to not execute in Romania and choose international locations throughout the Commonwealth of Unbiased States (CIS), which incorporates Armenia, Belarus, Kazakhstan, Moldova, Russia, and Ukraine.
The listing of instructions supported by the malware embody —
- downloading and executing different payloads retrieved from the C2 server
- updating the bot malware, and
- uninstalling itself from the compromised machine
Whereas these capabilities could seem very small, the truth that Saint Bot serves as a downloader for different malware makes it harmful sufficient.
Curiously, the payloads are themselves fetched from information hosted on Discord, a tactic that has turn into more and more widespread amongst menace actors, who’re abusing reliable features of such platforms for C2 communications, evade safety, and ship malware.
“When information are uploaded and saved throughout the Discord CDN, they are often accessed utilizing the hardcoded CDN URL by any system, no matter whether or not Discord has been put in, just by searching to the CDN URL the place the content material is hosted,” researchers from Cisco Talos disclosed in an evaluation earlier this week, thus turning software program like Discord and Slack into profitable targets for internet hosting malicious content material.
“Saint Bot is one more tiny downloader,” Hasherezade mentioned. “”[It is] not as mature as SmokeLoader, however it’s fairly new and at present actively developed. The writer appears to have some data of malware design, which is seen by the big selection of methods used. But, all of the deployed methods are well-known and fairly customary, [and] not displaying a lot creativity up to now.”