With the rapid development of technology in the field of cybercrime, hackers are devising new methods for quickly creating and distributing sophisticated malware. Security researchers recently discovered a new malware called Saint Bot that has quickly gained a reputation. In late March 2021, Malwarebytes researchers discovered a new phishing campaign that aims to deliver a credential stealer and other malware.
Malwarebytes researchers discovered a phishing email with a ZIP file attachment containing a PowerShell script disguised as a connection to a Bitcoin wallet. The researchers also discovered that the obfuscated PowerShell downloader starts the infection process by deploying the Saint Bot malware, which has been used in a number of COVID-19-themed phishing campaigns against government and private businesses around the world.
Technicalities
The zip file contains a malicious PowerShell script that attempts to download more malicious payloads from an embedded weblink that contains many executable files.
Saint Bot has been seen dropping Taurus Stealer or other AutoIt-based stealers in recent samples, but its architecture suggests that it is capable of delivering other types of malware as well. Saint Bot employs a number of tactics that are typically found only in more advanced malware. Several stages of the infection cycle have been used to use
Advanced methods such as code obfuscation, process injection, and anti-analysis have been used across several stages of the infection cycle.
Malwarebytes added “Saint Bot is yet another tiny downloader. We suspect it is being sold as a commodity on one of the darknet forums, and not linked with any specific actor. The author seems to have some knowledge of malware design, which is visible by the wide range of techniques used. Yet, all the deployed techniques are well-known and pretty standard, not showing much creativity so far. Will it become the next widespread downloader or disappear from the landscape, pushed away by some other, similar products? We have yet to see,”
“Its design allows to utilize it for distributing any kind of malware. Although currently, it does not appear to be widespread, there is an indication that it is being actively developed. Furthermore, Saint Bot employs a wide variety of techniques which, although not novel, indicate some level of sophistication considering its relatively new appearance,” Malwarebytes said.
Working Mechanism
Saint Bot is usually distributed in the form of a malicious email with a ZIP file attachment named bitcoin.zip, which entices the user into visiting a Bitcoin wallet. When the victim opens the file, it is presented with two files: a.lnk file that points to a Bitcoin wallet and a.txt file that appears to be the wallet’s password. The malware then starts a chain of infection that leads to Saint Bot download.
The user is redirected to C:WindowsSystem32cmd.exe after opening the.lnk file, which contains a malicious PowerShell script that downloads the next stage of the malware from the embedded weblink. If the malware has been successfully implanted, it connects to its Command-and-Control server (C2) and goes about its business.
The execution flow of the malware is as follows
Install itself -> Inject itself into EhStorAurhn.exe -> Communicate with the C2 and proceed with the main operations.
Latest Cyberattacks
According to security analysts, the malware was spread in a number of attacks aimed at government agencies. Georgia has been the subject of a COVID-19-themed attack campaign. A malicious LNK file was attached to an email in this cyber attack, which led to a malicious document and a decoy PDF file. Saint Bot malware was being delivered by both of these droppers.
Concluding Words
Despite the fact that Saint Bot is not yet a widespread threat, there are indications that the malware’s creators are still working on it, according to Malwarebytes.
Till now, no threat group has been linked to this malicious downloader, according to security experts. However, it has been reported that the creators of Saint Bot may have prior malware design experience. Can the malware persist or vanish over time? The malware’s future cannot be predicted at this time because it is dependent on the actors who are behind it.
It is recommended that security professionals keep an eye on this emerging malware and keep track of its malicious activities.