A relatively sophisticated new malware downloader has surfaced in recent weeks that, though not widespread yet, appears to be gaining momentum.
Researchers at Malwarebytes recently spotted the Saint Bot dropper, as they have named it, being used as part of the infection chain in targeted campaigns against government institutions in the country of Georgia. In each case, the attackers used Saint Bot to drop information stealers and other malware downloaders. According to the security vendor, it is likely that the new loader is being used by a few different threat actors, so there are likely other victims.
One of the information stealers that Saint Bot has been observed dropping is Taurus, a malware tool that is designed to steal passwords, browser history, cookies, and data in auto-fill forms. The Taurus stealer is also equipped to steal commonly used FTP and email client credentials and system information such as configuration details and installed software. According to Malwarebytes, while Saint Bot mostly has been observed dropping stealers, the dropper is designed to deliver any malware on a compromised system.
Malware droppers are specialized tools designed specially to install different malware on victim systems. They typically are distributed via spam and phishing emails, hidden on malicious websites, in infected apps, and often as part of a broader infection chain. Most have features for evading detection, disabling security tools on an infected system, connecting with command-and-control servers, and executing malicious commands.
One of the most notable recent examples of such malware is Sunburst, the tool that was distributed via poisoned SolarWinds Orion software updates to some 18,000 organizations worldwide. In that specific instance, the dropper was custom designed to deliver targeted payloads on systems belonging to organizations of particular interest to the attackers. Typical downloaders, however, are first-stage malware tools designed to deliver a wide variety of secondary and tertiary commodity payloads, including ransomware, banking Trojans, cryptominers, and other malicious tools. Some of most widely used droppers in recent times such as Emotet, Trickbot, and Dridex started off as banking Trojans first before their operators switched tactics and used their Trojans as malware-delivery vehicles for other criminals.
Researchers at Malwarebytes spotted Saint Bot while investigating a phishing email containing a zip file with malware they hadn't seen before. The zip file contained an obfuscated PowerShell script that masqueraded as a link to a Bitcoin wallet. The script initiated a chain of infections that eventually resulted in Saint Bot being dropped on the compromised system, Malwarebytes said in a report Friday.
"As we were about to publish on this downloader, we identified a few new campaigns that appear to be politically motivated and where Saint Bot was being used as part of the infection chain," a spokesman from Malwarebytes' threat intelligence team says. "In particular, we observed malicious documents laced with exploits often accompanied by decoy files," he notes. In all instances, Saint Bot was eventually used to drop stealers.
Like many other droppers, Saint Bot is equipped with several obfuscation and anti-analysis features designed to help it evade malware detection tools. It is designed to detect virtual machines and, in some cases, to detect — and not to execute — on systems located in specific Commonwealth of Independent States, which include former Soviet bloc countries, such as Russia, Azerbaijan, Armenia, Uzbekistan, Ukraine, and Moldova. Taurus, the information stealer that the dropper has been primarily distributing to is designed not to execute in CIS nations. Security researchers often see such exclusion as a sign that the malware authors are from that region.
According to Malwarebytes, though Saint Bot is not a prolific threat yet, there are signs that the authors behind the malware tool are still actively developing it. The security vendor says that its investigation of the Saint Bot shows that a previous version of the tool existed not long ago. "Additionally, we are seeing new campaigns that appear to be from different customers, which would indicate that the malware author is involved in further customizing the product," the Malwarebytes spokesman said.