Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

End of Bibblio RCM includes -->
10:30 AM
Connect Directly

New Malware Downloader Spotted in Targeted Campaigns

Saint Bot is being used to drop stealers on compromised systems but could be used to deliver any malware.

A relatively sophisticated new malware downloader has surfaced in recent weeks that, though not widespread yet, appears to be gaining momentum.

Researchers at Malwarebytes recently spotted the Saint Bot dropper, as they have named it, being used as part of the infection chain in targeted campaigns against government institutions in the country of Georgia. In each case, the attackers used Saint Bot to drop information stealers and other malware downloaders. According to the security vendor, it is likely that the new loader is being used by a few different threat actors, so there are likely other victims.

Related Content:

Malware Operator Employs New Trick to Upload Its Dropper into Google Play

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: 9 Modern-Day Best Practices for Log Management

One of the information stealers that Saint Bot has been observed dropping is Taurus, a malware tool that is designed to steal passwords, browser history, cookies, and data in auto-fill forms. The Taurus stealer is also equipped to steal commonly used FTP and email client credentials and system information such as configuration details and installed software. According to Malwarebytes, while Saint Bot mostly has been observed dropping stealers, the dropper is designed to deliver any malware on a compromised system.

Malware droppers are specialized tools designed specially to install different malware on victim systems. They typically are distributed via spam and phishing emails, hidden on malicious websites, in infected apps, and often as part of a broader infection chain. Most have features for evading detection, disabling security tools on an infected system, connecting with command-and-control servers, and executing malicious commands.

One of the most notable recent examples of such malware is Sunburst, the tool that was distributed via poisoned SolarWinds Orion software updates to some 18,000 organizations worldwide. In that specific instance, the dropper was custom designed to deliver targeted payloads on systems belonging to organizations of particular interest to the attackers. Typical downloaders, however, are first-stage malware tools designed to deliver a wide variety of secondary and tertiary commodity payloads, including ransomware, banking Trojans, cryptominers, and other malicious tools. Some of most widely used droppers in recent times such as Emotet, Trickbot, and Dridex started off as banking Trojans first before their operators switched tactics and used their Trojans as malware-delivery vehicles for other criminals.

Researchers at Malwarebytes spotted Saint Bot while investigating a phishing email containing a zip file with malware they hadn't seen before. The zip file contained an obfuscated PowerShell script that masqueraded as a link to a Bitcoin wallet. The script initiated a chain of infections that eventually resulted in Saint Bot being dropped on the compromised system, Malwarebytes said in a report Friday.

"As we were about to publish on this downloader, we identified a few new campaigns that appear to be politically motivated and where Saint Bot was being used as part of the infection chain," a spokesman from Malwarebytes' threat intelligence team says. "In particular, we observed malicious documents laced with exploits often accompanied by decoy files," he notes. In all instances, Saint Bot was eventually used to drop stealers.

Like many other droppers, Saint Bot is equipped with several obfuscation and anti-analysis features designed to help it evade malware detection tools. It is designed to detect virtual machines and, in some cases, to detect — and not to execute — on systems located in specific Commonwealth of Independent States, which include former Soviet bloc countries, such as Russia, Azerbaijan, Armenia, Uzbekistan, Ukraine, and Moldova. Taurus, the information stealer that the dropper has been primarily distributing to is designed not to execute in CIS nations. Security researchers often see such exclusion as a sign that the malware authors are from that region.

According to Malwarebytes, though Saint Bot is not a prolific threat yet, there are signs that the authors behind the malware tool are still actively developing it. The security vendor says that its investigation of the Saint Bot shows that a previous version of the tool existed not long ago. "Additionally, we are seeing new campaigns that appear to be from different customers, which would indicate that the malware author is involved in further customizing the product," the Malwarebytes spokesman said.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
How Machine Learning, AI & Deep Learning Improve Cybersecurity
Machine intelligence is influencing all aspects of cybersecurity. Organizations are implementing AI-based security to analyze event data using ML models that identify attack patterns and increase automation. Before security teams can take advantage of AI and ML tools, they need to know what is possible. This report covers: -How to assess the vendor's AI/ML claims -Defining success criteria for AI/ML implementations -Challenges when implementing AI
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-09-26
Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.4.8.
PUBLISHED: 2022-09-26
Online Tours & Travels Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/update_expense.php.
PUBLISHED: 2022-09-26
Online Tours & Travels Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/update_expense_category.php.
PUBLISHED: 2022-09-26
Online Tours & Travels Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/update_currency.php.
PUBLISHED: 2022-09-26
ZFile v4.1.1 was discovered to contain an arbitrary file upload vulnerability via the component /file/upload/1.