Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:30 AM
Connect Directly

New Malware Downloader Spotted in Targeted Campaigns

Saint Bot is being used to drop stealers on compromised systems but could be used to deliver any malware.

A relatively sophisticated new malware downloader has surfaced in recent weeks that, though not widespread yet, appears to be gaining momentum.

Researchers at Malwarebytes recently spotted the Saint Bot dropper, as they have named it, being used as part of the infection chain in targeted campaigns against government institutions in the country of Georgia. In each case, the attackers used Saint Bot to drop information stealers and other malware downloaders. According to the security vendor, it is likely that the new loader is being used by a few different threat actors, so there are likely other victims.

Related Content:

Malware Operator Employs New Trick to Upload Its Dropper into Google Play

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: 9 Modern-Day Best Practices for Log Management

One of the information stealers that Saint Bot has been observed dropping is Taurus, a malware tool that is designed to steal passwords, browser history, cookies, and data in auto-fill forms. The Taurus stealer is also equipped to steal commonly used FTP and email client credentials and system information such as configuration details and installed software. According to Malwarebytes, while Saint Bot mostly has been observed dropping stealers, the dropper is designed to deliver any malware on a compromised system.

Malware droppers are specialized tools designed specially to install different malware on victim systems. They typically are distributed via spam and phishing emails, hidden on malicious websites, in infected apps, and often as part of a broader infection chain. Most have features for evading detection, disabling security tools on an infected system, connecting with command-and-control servers, and executing malicious commands.

One of the most notable recent examples of such malware is Sunburst, the tool that was distributed via poisoned SolarWinds Orion software updates to some 18,000 organizations worldwide. In that specific instance, the dropper was custom designed to deliver targeted payloads on systems belonging to organizations of particular interest to the attackers. Typical downloaders, however, are first-stage malware tools designed to deliver a wide variety of secondary and tertiary commodity payloads, including ransomware, banking Trojans, cryptominers, and other malicious tools. Some of most widely used droppers in recent times such as Emotet, Trickbot, and Dridex started off as banking Trojans first before their operators switched tactics and used their Trojans as malware-delivery vehicles for other criminals.

Researchers at Malwarebytes spotted Saint Bot while investigating a phishing email containing a zip file with malware they hadn't seen before. The zip file contained an obfuscated PowerShell script that masqueraded as a link to a Bitcoin wallet. The script initiated a chain of infections that eventually resulted in Saint Bot being dropped on the compromised system, Malwarebytes said in a report Friday.

"As we were about to publish on this downloader, we identified a few new campaigns that appear to be politically motivated and where Saint Bot was being used as part of the infection chain," a spokesman from Malwarebytes' threat intelligence team says. "In particular, we observed malicious documents laced with exploits often accompanied by decoy files," he notes. In all instances, Saint Bot was eventually used to drop stealers.

Like many other droppers, Saint Bot is equipped with several obfuscation and anti-analysis features designed to help it evade malware detection tools. It is designed to detect virtual machines and, in some cases, to detect — and not to execute — on systems located in specific Commonwealth of Independent States, which include former Soviet bloc countries, such as Russia, Azerbaijan, Armenia, Uzbekistan, Ukraine, and Moldova. Taurus, the information stealer that the dropper has been primarily distributing to is designed not to execute in CIS nations. Security researchers often see such exclusion as a sign that the malware authors are from that region.

According to Malwarebytes, though Saint Bot is not a prolific threat yet, there are signs that the authors behind the malware tool are still actively developing it. The security vendor says that its investigation of the Saint Bot shows that a previous version of the tool existed not long ago. "Additionally, we are seeing new campaigns that appear to be from different customers, which would indicate that the malware author is involved in further customizing the product," the Malwarebytes spokesman said.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-10-22
BQE BillQuick Web Suite 2018 through 2021 before allows SQL injection for unauthenticated remote code execution, as exploited in the wild in October 2021 for ransomware installation. SQL injection can, for example, use the txtID (aka username) parameter. Successful exploitation can include ...
PUBLISHED: 2021-10-22
Draytek VigorAP 1000C contains a stored cross-site scripting (XSS) vulnerability in the RADIUS Setting - RADIUS Server Configuration module. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the username input field.
PUBLISHED: 2021-10-22
Aplioxio PDF ShapingUp contains a buffer overflow which allows attackers to cause a denial of service (DoS) via a crafted PDF file.
PUBLISHED: 2021-10-22
Portable Ltd Playable v9.18 was discovered to contain an arbitrary file upload vulnerability in the filename parameter of the upload module. This vulnerability allows attackers to execute arbitrary code via a crafted JPEG file.
PUBLISHED: 2021-10-22
Swift File Transfer Mobile v1.1.2 and below was discovered to contain a cross-site scripting (XSS) vulnerability via the 'path' parameter of the 'list' and 'download' exception-handling.