New malware downloader spotted in targeted campaigns

Saint Bot is used to drop thieves onto compromised systems, but could be used to spread any malware.

A relatively sophisticated new malware downloader has appeared in recent weeks and, although not yet widespread, seems to be gaining momentum.

Malwarebytes researchers recently spotted the Saint Bot dropper, as they named it, being used as part of the infection chain in targeted campaigns against government institutions in the country of Georgia. In each case, the attackers used Saint Bot to drop infostealers and other malware downloaders. According to the security vendor, it’s likely that the new loader is being used by a few different threat actors, so there are likely other victims as well.

One of the information thieves that Saint Bot has been observed is Bull, a malicious tool designed to steal passwords, browser history, cookies, and data in autofill forms. The Taurus Thief is also equipped to steal credentials and system information from commonly used FTP and email clients, such as configuration details and installed software. According to Malwarebytes, while Saint Bot has mostly been seen dropping thieves, the dropper is designed to spread any malware onto a compromised system.

Malware droppers are specialized tools specially designed to install different malware on victimized systems. They are usually distributed via spam and phishing emails, hidden on malicious websites, in infected apps, and often as part of a larger chain of infection. Most have features to evade detection, disable security tools on an infected system, connect to command and control servers, and execute malicious commands.

One of the most notable recent examples of this malware is Sunburst, the tool that was distributed via poison software updates from SolarWinds Orion to some 18,000 organizations worldwide. In this specific case, the dropper was tailor-made to deliver targeted payloads to systems belonging to organizations of particular interest to attackers. Typical downloaders, however, are first-level malicious tools designed to deliver a wide variety of secondary and tertiary payloads, including ransomware, banking trojans, cryptominers, and other malicious tools. Some of the most used droppers in recent times, such as Emotet, Trickbot and Dridex, started out as banking Trojans before their operators changed tack and used their Trojans as vehicles for distribution of malware for other criminals.

Malwarebytes researchers spotted Saint-Bot while investigating a phishing email containing a zip file containing malware they had never seen before. The zip file contained an obfuscated PowerShell script that posed as a link to a Bitcoin wallet. The script set off a chain of infections that ultimately resulted in Saint Bot being dropped on the compromised system, Malwarebytes said in a report Friday.

“While we were about to post to this uploader, we identified a few new campaigns that appear to be politically motivated where Saint Bot was being used as part of the infection chain,” a spokesperson said. Malwarebytes Threat Intelligence Team. “In particular, we observed malicious documents full of exploits often accompanied by decoy files,” he notes. Either way, Saint Bot was eventually used to drop Rogues.

Like many other droppers, Saint Bot is equipped with several obfuscation and anti-scanning features designed to help it evade malware detection tools. It is designed to detect virtual machines and, in some cases, to detect – not run – on systems located in specific countries of the Commonwealth of Independent States, which includes countries from the former Soviet bloc, such as Russia, Azerbaijan, Armenia, Uzbekistan, Ukraine, and Moldova. Taurus, the information stealer to which the dropper mainly distributed, is designed not to run in CIS countries. Security researchers often see such an exclusion as a sign that malware writers originate from that region.

According to Malwarebytes, although Saint Bot is not yet a prolific threat, there are signs that the authors behind the malicious tool are still actively developing it. The security vendor says its investigation of the Saint Bot shows that a previous version of the tool existed not too long ago. “Additionally, we are seeing new campaigns that appear to come from different customers, which would indicate that the malware author is involved in customizing the product,” the Malwarebytes spokesperson said.

Jai Vijayan is a seasoned technology journalist with over 20 years of experience in IT journalism. He was most recently an editor at Computerworld, where he covered information security and data privacy issues for the publication. During his 20 years… See Full Biography

More information


Source link

Comments are closed.