Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:30 AM
Connect Directly

New Malware Downloader Spotted in Targeted Campaigns

Saint Bot is being used to drop stealers on compromised systems but could be used to deliver any malware.

A relatively sophisticated new malware downloader has surfaced in recent weeks that, though not widespread yet, appears to be gaining momentum.

Researchers at Malwarebytes recently spotted the Saint Bot dropper, as they have named it, being used as part of the infection chain in targeted campaigns against government institutions in the country of Georgia. In each case, the attackers used Saint Bot to drop information stealers and other malware downloaders. According to the security vendor, it is likely that the new loader is being used by a few different threat actors, so there are likely other victims.

Related Content:

Malware Operator Employs New Trick to Upload Its Dropper into Google Play

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: 9 Modern-Day Best Practices for Log Management

One of the information stealers that Saint Bot has been observed dropping is Taurus, a malware tool that is designed to steal passwords, browser history, cookies, and data in auto-fill forms. The Taurus stealer is also equipped to steal commonly used FTP and email client credentials and system information such as configuration details and installed software. According to Malwarebytes, while Saint Bot mostly has been observed dropping stealers, the dropper is designed to deliver any malware on a compromised system.

Malware droppers are specialized tools designed specially to install different malware on victim systems. They typically are distributed via spam and phishing emails, hidden on malicious websites, in infected apps, and often as part of a broader infection chain. Most have features for evading detection, disabling security tools on an infected system, connecting with command-and-control servers, and executing malicious commands.

One of the most notable recent examples of such malware is Sunburst, the tool that was distributed via poisoned SolarWinds Orion software updates to some 18,000 organizations worldwide. In that specific instance, the dropper was custom designed to deliver targeted payloads on systems belonging to organizations of particular interest to the attackers. Typical downloaders, however, are first-stage malware tools designed to deliver a wide variety of secondary and tertiary commodity payloads, including ransomware, banking Trojans, cryptominers, and other malicious tools. Some of most widely used droppers in recent times such as Emotet, Trickbot, and Dridex started off as banking Trojans first before their operators switched tactics and used their Trojans as malware-delivery vehicles for other criminals.

Researchers at Malwarebytes spotted Saint Bot while investigating a phishing email containing a zip file with malware they hadn't seen before. The zip file contained an obfuscated PowerShell script that masqueraded as a link to a Bitcoin wallet. The script initiated a chain of infections that eventually resulted in Saint Bot being dropped on the compromised system, Malwarebytes said in a report Friday.

"As we were about to publish on this downloader, we identified a few new campaigns that appear to be politically motivated and where Saint Bot was being used as part of the infection chain," a spokesman from Malwarebytes' threat intelligence team says. "In particular, we observed malicious documents laced with exploits often accompanied by decoy files," he notes. In all instances, Saint Bot was eventually used to drop stealers.

Like many other droppers, Saint Bot is equipped with several obfuscation and anti-analysis features designed to help it evade malware detection tools. It is designed to detect virtual machines and, in some cases, to detect — and not to execute — on systems located in specific Commonwealth of Independent States, which include former Soviet bloc countries, such as Russia, Azerbaijan, Armenia, Uzbekistan, Ukraine, and Moldova. Taurus, the information stealer that the dropper has been primarily distributing to is designed not to execute in CIS nations. Security researchers often see such exclusion as a sign that the malware authors are from that region.

According to Malwarebytes, though Saint Bot is not a prolific threat yet, there are signs that the authors behind the malware tool are still actively developing it. The security vendor says that its investigation of the Saint Bot shows that a previous version of the tool existed not long ago. "Additionally, we are seeing new campaigns that appear to be from different customers, which would indicate that the malware author is involved in further customizing the product," the Malwarebytes spokesman said.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-17
All versions of package lutils are vulnerable to Prototype Pollution via the main (merge) function.
PUBLISHED: 2021-06-17
Wagtail is an open source content management system built on Django. A cross-site scripting vulnerability exists in versions 2.13-2.13.1, versions 2.12-2.12.4, and versions prior to 2.11.8. When the `{% include_block %}` template tag is used to output the value of a plain-text StreamField block (`Ch...
PUBLISHED: 2021-06-17
Elemin allows remote attackers to upload and execute arbitrary PHP code via the Themify framework (before 1.2.2) wp-content/themes/elemin/themify/themify-ajax.php file.
PUBLISHED: 2021-06-17
An authenticated Stored XSS (Cross-site Scripting) exists in the "captive.cgi" Captive Portal via the "Title of Login Page" text box or "TITLE" parameter in IPFire 2.21 (x86_64) - Core Update 130. It allows an authenticated WebGUI user with privileges for the affected p...
PUBLISHED: 2021-06-17
In Fiyo CMS, the 'tag' parameter results in an unauthenticated XSS attack.