Saint Bot Downloader – A New Cyber Threat in Making

A comparatively complicated new malware downloader has floated up in recent weeks. Even though it doesn’t appear to have been spread that extensively, it has started gaining momentum.

The Discovery

Researchers at Malwarebytes have identified the Saint Bot dropper lately. Saint Bot is used as a part of the infected chain in beleaguered campaigns against government organizations in Georgia. This malware is used to dive stealers on compromised systems, but can also be used to deliver any malware. Based on the inputs given by a security vendor, it is probable that the new loader is used by a few diverse threat actors; hence there are probably other victims too.

Saint Bot drops Taurus

One of the data stealers that Saint Bot has been seeing dropping is Taurus. Taurus is a malware tool that is designed to steal information in auto-fill forms, passwords, cookies, and browser history. Taurus is also equipped to steal system information like installed software details, configuration details, email client credentials, and commonly used FTP. As stated by Malwarebytes, though Saint Bot is generally observed dropping stealers, the dropper is actually crafted to deliver malware on a compromised system.

What are Malware Droppers?

Malware droppers are expert tools specially crafted to install diverse malware on victim systems. They are normally dispersed through phishing and spam emails that are concealed on malicious websites, infected applications, and are often a part of a wider infection chain. Many have features to detect evasion, disable security tools on an infected system, connect with command and control servers, and execute malicious commands. 

One of the most prominent recent examples of this malware is Sunburst, which was distributed to around 18,000 organizations worldwide through the SolarWinds Orion software updates. At that instance, the dropper was specifically crafted to deliver embattled payloads on systems that belonged to companies that were of special interest to the attackers. Nonetheless, typical downloaders are first-stage malware tools that are crafted to deliver a broad variety of secondary and tertiary commodity payloads, which includes crypto miners, banking Trojans, ransomware, and other malicious tools.

A few of the most extensively used droppers of recent times like the Trickbot, Dridex, and Emotet began as banking Trojans first.  Later their operators switched devices and used their Trojans as malware-delivery vehicles for other criminals.

How was Saint Bot spotted?

Investigators at Malwarebytes identified Saint Bot while they were examining a phishing email that had a zip file with malware they had not seen before. A complicated power shell script that impersonated as a link to a Bit-coin wallet was enclosed in the zip file. According to Malwarebytes, the script commenced a chain of infections that ultimately resulted in Saint Bot being dropped on the compromised system.

Malwarebytes also identified some politically motivated campaigns where Saint Bot was used as a component of the infection chain. Malwarebytes identified malicious documents that were laced with exploits that were frequently accompanied by trap files. In all the cases, Saint Bot was ultimately used to drop stealers.

How is Saint Bot Used?

Just like many other droppers, Saint Bot too is operational with quite a lot of obfuscation and anti-analysis characteristics that are crafted to aid it to avoid malware detection tools. It is crafted to discover virtual machines and in some cases to discover and not to execute on systems placed in the Commonwealth of the Independent States, which include earlier Soviet bloc countries, like Armenia, Azerbaijan, Russia, Ukraine, Moldova, and Uzbekistan.

Taurus, the data stealer to which the dropper has been mainly distributing to is crafted as not to be executed in CIS nations. Security professionals generally see such exclusion as an indication that the malware inventors are from that region.

Conclusion

Based on the inputs given by Malware bytes, even though it is not a productive threat yet, there are indications that the inventors of this malware tool are still developing it aggressively. The security vendor also mentioned that its research of the Saint Bot shows that an earlier version of this tool existed not too long ago. He further added that they are noticing new campaigns that come into view from different customers which is a sign that the malware inventor is further involved in customizing its product. Learn more