Saint Bot
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
Saint Bot has attempted to bypass UAC using `fodhelper.exe` to escalate privileges.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Saint Bot has used HTTP for C2 communications.(Citation: Malwarebytes Saint Bot April 2021) |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Saint Bot has established persistence by being copied to the Startup directory or through the `\Software\Microsoft\Windows\CurrentVersion\Run` registry key.(Citation: Malwarebytes Saint Bot April 2021)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Saint Bot has used PowerShell for execution.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
.003 | Command and Scripting Interpreter: Windows Command Shell |
Saint Bot has used `cmd.exe` and `.bat` scripts for execution.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
||
.005 | Command and Scripting Interpreter: Visual Basic |
Saint Bot has used `.vbs` scripts for execution.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
||
Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
Saint Bot has used Base64 to encode its C2 communications.(Citation: Malwarebytes Saint Bot April 2021) |
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
Saint Bot can run a batch script named `del.bat` to remove any Saint Bot payload-linked files from a compromise system if anti-analysis or locale checks fail.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
Saint Bot has been disguised as a legitimate executable, including as Windows SDK.(Citation: Malwarebytes Saint Bot April 2021) |
Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing |
Saint Bot has been packed using a dark market crypter.(Citation: Malwarebytes Saint Bot April 2021) |
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Saint Bot has been distributed as malicious attachments within spearphishing emails.(Citation: Malwarebytes Saint Bot April 2021)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
.002 | Phishing: Spearphishing Link |
Saint Bot has been distributed through malicious links contained within spearphishing emails.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
||
Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection |
Saint Bot has injected its DLL component into `EhStorAurhn.exe`.(Citation: Malwarebytes Saint Bot April 2021) |
.004 | Process Injection: Asynchronous Procedure Call |
Saint Bot has written its payload into a newly-created `EhStorAuthn.exe` process using `ZwWriteVirtualMemory` and executed it using `NtQueueApcThread` and `ZwAlertResumeThread`.(Citation: Malwarebytes Saint Bot April 2021) |
||
.012 | Process Injection: Process Hollowing |
The Saint Bot loader has used API calls to spawn `MSBuild.exe` in a suspended state before injecting the decrypted Saint Bot binary into it.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
||
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Saint Bot has created a scheduled task named "Maintenance" to establish persistence.(Citation: Malwarebytes Saint Bot April 2021) |
Enterprise | T1218 | .004 | System Binary Proxy Execution: InstallUtil |
Saint Bot had used `InstallUtil.exe` to download and deploy executables.(Citation: Malwarebytes Saint Bot April 2021) |
.010 | System Binary Proxy Execution: Regsvr32 |
Saint Bot has used `regsvr32` to execute scripts.(Citation: Malwarebytes Saint Bot April 2021)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
||
Enterprise | T1204 | .001 | User Execution: Malicious Link |
Saint Bot has relied on users to click on a malicious link delivered via a spearphishing.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
.002 | User Execution: Malicious File |
Saint Bot has relied on users to execute a malicious attachment delivered via spearphishing.(Citation: Malwarebytes Saint Bot April 2021)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
||
Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
Saint Bot has run several virtual machine and sandbox checks, including checking if `Sbiedll.dll` is present in a list of loaded modules, comparing the machine name to `HAL9TH` and the user name to `JohnDoe`, and checking the BIOS version for known virtual machine identifiers.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
.003 | Virtualization/Sandbox Evasion: Time Based Evasion |
Saint Bot has used the command `timeout 20` to pause the execution of its initial loader.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G1003 | Ember Bear |
(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
G1003 | Ember Bear |
(Citation: CISA GRU29155 2024) |
G1031 | Saint Bear |
(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
References
- Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
- Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022.
- US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.