Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Sibot

Sibot is dual-purpose malware written in VBScript designed to achieve persistence on a compromised system as well as download and execute additional payloads. Microsoft discovered three Sibot variants in early 2021 during its investigation of APT29 and the SolarWinds Compromise.(Citation: MSTIC NOBELIUM Mar 2021)
ID: S0589
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 12 Mar 2021
Last Modified: 27 Mar 2023

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Sibot communicated with its C2 server via HTTP GET requests.(Citation: MSTIC NOBELIUM Mar 2021)

Enterprise T1059 .005 Command and Scripting Interpreter: Visual Basic

Sibot executes commands using VBScript.(Citation: MSTIC NOBELIUM Mar 2021)

Enterprise T1070 .004 Indicator Removal: File Deletion

Sibot will delete itself if a certain server response is received.(Citation: MSTIC NOBELIUM Mar 2021)

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Sibot has downloaded a DLL to the C:\windows\system32\drivers\ folder and renamed it with a .sys extension.(Citation: MSTIC NOBELIUM Mar 2021)

Enterprise T1027 .010 Obfuscated Files or Information: Command Obfuscation

Sibot has obfuscated scripts used in execution.(Citation: MSTIC NOBELIUM Mar 2021)

.011 Obfuscated Files or Information: Fileless Storage

Sibot has installed a second-stage script in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot registry key.(Citation: MSTIC NOBELIUM Mar 2021)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Sibot has been executed via a scheduled task.(Citation: MSTIC NOBELIUM Mar 2021)

Enterprise T1218 .005 System Binary Proxy Execution: Mshta

Sibot has been executed via MSHTA application.(Citation: MSTIC NOBELIUM Mar 2021)

.011 System Binary Proxy Execution: Rundll32

Sibot has executed downloaded DLLs with rundll32.exe.(Citation: MSTIC NOBELIUM Mar 2021)

Groups That Use This Software

ID Name References
G0118 UNC2452

(Citation: MSTIC NOBELIUM Mar 2021)

(Citation: MSTIC NOBELIUM Mar 2021)

G0016 APT29

(Citation: MSTIC NOBELIUM Mar 2021) (Citation: Cybersecurity Advisory SVR TTP May 2021) (Citation: MSTIC Nobelium Toolset May 2021) (Citation: Secureworks IRON RITUAL Profile)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.