Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/12/2021
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

New Malware Downloader Spotted in Targeted Campaigns

Saint Bot is being used to drop stealers on compromised systems but could be used to deliver any malware.

A relatively sophisticated new malware downloader has surfaced in recent weeks that, though not widespread yet, appears to be gaining momentum.

Researchers at Malwarebytes recently spotted the Saint Bot dropper, as they have named it, being used as part of the infection chain in targeted campaigns against government institutions in the country of Georgia. In each case, the attackers used Saint Bot to drop information stealers and other malware downloaders. According to the security vendor, it is likely that the new loader is being used by a few different threat actors, so there are likely other victims.

Related Content:

Malware Operator Employs New Trick to Upload Its Dropper into Google Play

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: 9 Modern-Day Best Practices for Log Management

One of the information stealers that Saint Bot has been observed dropping is Taurus, a malware tool that is designed to steal passwords, browser history, cookies, and data in auto-fill forms. The Taurus stealer is also equipped to steal commonly used FTP and email client credentials and system information such as configuration details and installed software. According to Malwarebytes, while Saint Bot mostly has been observed dropping stealers, the dropper is designed to deliver any malware on a compromised system.

Malware droppers are specialized tools designed specially to install different malware on victim systems. They typically are distributed via spam and phishing emails, hidden on malicious websites, in infected apps, and often as part of a broader infection chain. Most have features for evading detection, disabling security tools on an infected system, connecting with command-and-control servers, and executing malicious commands.

One of the most notable recent examples of such malware is Sunburst, the tool that was distributed via poisoned SolarWinds Orion software updates to some 18,000 organizations worldwide. In that specific instance, the dropper was custom designed to deliver targeted payloads on systems belonging to organizations of particular interest to the attackers. Typical downloaders, however, are first-stage malware tools designed to deliver a wide variety of secondary and tertiary commodity payloads, including ransomware, banking Trojans, cryptominers, and other malicious tools. Some of most widely used droppers in recent times such as Emotet, Trickbot, and Dridex started off as banking Trojans first before their operators switched tactics and used their Trojans as malware-delivery vehicles for other criminals.

Researchers at Malwarebytes spotted Saint Bot while investigating a phishing email containing a zip file with malware they hadn't seen before. The zip file contained an obfuscated PowerShell script that masqueraded as a link to a Bitcoin wallet. The script initiated a chain of infections that eventually resulted in Saint Bot being dropped on the compromised system, Malwarebytes said in a report Friday.

"As we were about to publish on this downloader, we identified a few new campaigns that appear to be politically motivated and where Saint Bot was being used as part of the infection chain," a spokesman from Malwarebytes' threat intelligence team says. "In particular, we observed malicious documents laced with exploits often accompanied by decoy files," he notes. In all instances, Saint Bot was eventually used to drop stealers.

Like many other droppers, Saint Bot is equipped with several obfuscation and anti-analysis features designed to help it evade malware detection tools. It is designed to detect virtual machines and, in some cases, to detect — and not to execute — on systems located in specific Commonwealth of Independent States, which include former Soviet bloc countries, such as Russia, Azerbaijan, Armenia, Uzbekistan, Ukraine, and Moldova. Taurus, the information stealer that the dropper has been primarily distributing to is designed not to execute in CIS nations. Security researchers often see such exclusion as a sign that the malware authors are from that region.

According to Malwarebytes, though Saint Bot is not a prolific threat yet, there are signs that the authors behind the malware tool are still actively developing it. The security vendor says that its investigation of the Saint Bot shows that a previous version of the tool existed not long ago. "Additionally, we are seeing new campaigns that appear to be from different customers, which would indicate that the malware author is involved in further customizing the product," the Malwarebytes spokesman said.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-33033
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
CVE-2021-33034
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
CVE-2019-25044
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.
CVE-2020-24119
PUBLISHED: 2021-05-14
A heap buffer overflow read was discovered in upx 4.0.0, because the check in p_lx_elf.cpp is not perfect.
CVE-2020-27833
PUBLISHED: 2021-05-14
A Zip Slip vulnerability was found in the oc binary in openshift-clients where an arbitrary file write is achieved by using a specially crafted raw container image (.tar file) which contains symbolic links. The vulnerability is limited to the command `oc image extract`. If a symbolic link is first c...