Saint Bear
Saint Bear is a Russian-nexus threat actor active since early 2021, primarily targeting entities in Ukraine and Georgia. The group is notable for a specific remote access tool, Saint Bot, and information stealer, OutSteel in campaigns. Saint Bear typically relies on phishing or web staging of malicious documents and related file types for initial access, spoofing government or related entities.[1][2] Saint Bear has previously been confused with Ember Bear operations, but analysis of behaviors, tools, and targeting indicates these are distinct clusters.
Associated Group Descriptions
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1656 | 伪装 |
Saint Bear has impersonated government and related entities in both phishing activity and developing web sites with malicious links that mimic legitimate resources.[2] |
|
| Enterprise | T1112 | 修改注册表 |
Saint Bear will leverage malicious Windows batch scripts to modify registry values associated with Windows Defender functionality.[1] |
|
| Enterprise | T1059 | 命令与脚本解释器 |
Saint Bear has used the Windows Script Host (wscript) to execute intermediate files written to victim machines.[1] |
|
| .001 | PowerShell |
Saint Bear relies extensively on PowerShell execution from malicious attachments and related content to retrieve and execute follow-on payloads.[1] |
||
| .003 | Windows Command Shell |
Saint Bear initial loaders will also drop a malicious Windows batch file, available via open source GitHub repositories, that disables Microsoft Defender functionality.[1] |
||
| .007 | JavaScript |
Saint Bear has delivered malicious Microsoft Office files containing an embedded JavaScript object that would, on execution, download and execute OutSteel and Saint Bot.[1] |
||
| Enterprise | T1562 | .001 | 妨碍防御: Disable or Modify Tools |
Saint Bear will modify registry entries and scheduled task objects associated with Windows Defender to disable its functionality.[1] |
| Enterprise | T1203 | 客户端执行漏洞利用 |
Saint Bear has leveraged vulnerabilities in client applications such as CVE-2017-11882 in Microsoft Office to enable code execution in victim environments.[1] |
|
| Enterprise | T1589 | .002 | 收集受害者身份信息: Email Addresses |
Saint Bear gathered victim email information in advance of phishing operations for targeted attacks.[1] |
| Enterprise | T1608 | .001 | 暂存能力: Upload Malware |
Saint Bear has used the Discord content delivery network for hosting malicious content referenced in links and emails.[1] |
| Enterprise | T1027 | .002 | 混淆文件或信息: Software Packing |
Saint Bear clones .NET assemblies from other .NET binaries as well as cloning code signing certificates from other software to obfuscate the initial loader payload.[1] |
| .013 | 混淆文件或信息: Encrypted/Encoded File |
Saint Bear initial payloads included encoded follow-on payloads located in the resources file of the first-stage loader.[1] |
||
| Enterprise | T1204 | .001 | 用户执行: Malicious Link |
Saint Bear has, in addition to email-based phishing attachments, used malicious websites masquerading as legitimate entities to host links to malicious files for user execution.[1][2] |
| .002 | 用户执行: Malicious File |
Saint Bear relies on user interaction and execution of malicious attachments and similar for initial execution on victim systems.[1] |
||
| Enterprise | T1583 | .006 | 获取基础设施: Web Services |
Saint Bear has leveraged the Discord content delivery network to host malicious content for retrieval during initial access operations.[1] |
| Enterprise | T1497 | 虚拟化/沙盒规避 |
Saint Bear contains several anti-analysis and anti-virtualization checks.[1] |
|
| Enterprise | T1566 | .001 | 钓鱼: Spearphishing Attachment |
Saint Bear uses a variety of file formats, such as Microsoft Office documents, ZIP archives, PDF documents, and other items as phishing attachments for initial access.[1] |
| Enterprise | T1553 | .002 | 颠覆信任控制: Code Signing |
Saint Bear has used an initial loader malware featuring a legitimate code signing certificate associated with "Electrum Technologies GmbH."[1] |