Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент SDBbot
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
SDBbot
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

SDBbot

SDBbot is a backdoor with installer and loader components that has been used by TA505 since at least 2019.(Citation: Proofpoint TA505 October 2019)(Citation: IBM TA505 April 2020)
ID: S0461
Type: MALWARE
Platforms: Windows
Version: 2.1
Created: 01 Jun 2020
Last Modified: 18 Jul 2022

Techniques Used
Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

SDBbot has the ability to add a value to the Registry Run key to establish persistence if it detects it is running with regular user privilege. (Citation: Proofpoint TA505 October 2019)(Citation: IBM TA505 April 2020)
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

SDBbot has the ability to use the command shell to execute commands on a compromised host.(Citation: Proofpoint TA505 October 2019)
Enterprise T1546 .011 Event Triggered Execution: Application Shimming

SDBbot has the ability to use application shimming for persistence if it detects it is running as admin on Windows XP or 7, by creating a shim database to patch services.exe.(Citation: Proofpoint TA505 October 2019)
.012 Event Triggered Execution: Image File Execution Options Injection

SDBbot has the ability to use image file execution options for persistence if it detects it is running with admin privileges on a Windows version newer than Windows 7.(Citation: Proofpoint TA505 October 2019)

Enterprise T1070 .004 Indicator Removal: File Deletion

SDBbot has the ability to delete files from a compromised host.(Citation: Proofpoint TA505 October 2019)
Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

SDBbot has used a packed installer file.(Citation: IBM TA505 April 2020)
Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

SDBbot has the ability to inject a downloaded DLL into a newly created rundll32.exe process.(Citation: Proofpoint TA505 October 2019)
Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

SDBbot has the ability to use RDP to connect to victim's machines.(Citation: Proofpoint TA505 October 2019)
Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

SDBbot has used rundll32.exe to execute DLLs.(Citation: Korean FSI TA505 2020)

Groups That Use This Software
ID Name References
G0092 TA505

(Citation: Proofpoint TA505 October 2019) (Citation: IBM TA505 April 2020)

References

  1. Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020.
  2. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
  3. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.