Sibot
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Sibot communicated with its C2 server via HTTP GET requests.(Citation: MSTIC NOBELIUM Mar 2021) |
Enterprise | T1059 | .005 | Command and Scripting Interpreter: Visual Basic |
Sibot executes commands using VBScript.(Citation: MSTIC NOBELIUM Mar 2021) |
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
Sibot will delete itself if a certain server response is received.(Citation: MSTIC NOBELIUM Mar 2021) |
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
Sibot has downloaded a DLL to the |
Enterprise | T1027 | .010 | Obfuscated Files or Information: Command Obfuscation |
Sibot has obfuscated scripts used in execution.(Citation: MSTIC NOBELIUM Mar 2021) |
.011 | Obfuscated Files or Information: Fileless Storage |
Sibot has installed a second-stage script in the |
||
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Sibot has been executed via a scheduled task.(Citation: MSTIC NOBELIUM Mar 2021) |
Enterprise | T1218 | .005 | System Binary Proxy Execution: Mshta |
Sibot has been executed via MSHTA application.(Citation: MSTIC NOBELIUM Mar 2021) |
.011 | System Binary Proxy Execution: Rundll32 |
Sibot has executed downloaded DLLs with |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G0118 | UNC2452 |
(Citation: MSTIC NOBELIUM Mar 2021) |
(Citation: MSTIC NOBELIUM Mar 2021) |
||
G0016 | APT29 |
(Citation: MSTIC NOBELIUM Mar 2021) (Citation: Cybersecurity Advisory SVR TTP May 2021) (Citation: MSTIC Nobelium Toolset May 2021) (Citation: Secureworks IRON RITUAL Profile) |
References
- Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
- NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021.
- MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
- Secureworks CTU. (n.d.). IRON RITUAL. Retrieved February 24, 2022.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.