1. Home
  2. Software
  3. Sibot

Sibot

Sibot is dual-purpose malware written in VBScript designed to achieve persistence on a compromised system as well as download and execute additional payloads. Microsoft discovered three Sibot variants in early 2021 during its investigation of APT29 and the SolarWinds Compromise.[1]

ID: S0589
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 12 March 2021
Last Modified: 27 March 2023
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

Sibot has used WMI to discover network connections and configurations. Sibot has also used the Win32_Process class to execute a malicious DLL.[1]
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

Sibot has downloaded a DLL to the C:\windows\system32\drivers\ folder and renamed it with a .sys extension.[1]
Enterprise T1112 修改注册表

Sibot has modified the Registry to install a second-stage script in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot.[1]
Enterprise T1140 反混淆/解码文件或信息

Sibot can decrypt data received from a C2 and save to a file.[1]
Enterprise T1059 .005 命令与脚本解释器: Visual Basic

Sibot executes commands using VBScript.[1]

Enterprise T1071 .001 应用层协议: Web Protocols

Sibot communicated with its C2 server via HTTP GET requests.[1]
Enterprise T1012 查询注册表

Sibot has queried the registry for proxy server information.[1]
Enterprise T1027 .010 混淆文件或信息: Command Obfuscation

Sibot has obfuscated scripts used in execution.[1]
.011 混淆文件或信息: Fileless Storage

Sibot has installed a second-stage script in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot registry key.[1]
Enterprise T1070 移除指标

Sibot will delete an associated registry key if a certain server response is received.[1]
.004 File Deletion

Sibot will delete itself if a certain server response is received.[1]
Enterprise T1218 .005 系统二进制代理执行: Mshta

Sibot has been executed via MSHTA application.[1]
.011 系统二进制代理执行: Rundll32

Sibot has executed downloaded DLLs with rundll32.exe.[1]
Enterprise T1049 系统网络连接发现

Sibot has retrieved a GUID associated with a present LAN connection on a compromised machine.[1]
Enterprise T1016 系统网络配置发现

Sibot checked if the compromised system is configured to use proxies.[1]
Enterprise T1102 网络服务

Sibot has used a legitimate compromised website to download DLLs to the victim's machine.[1]
Enterprise T1105 输入工具传输

Sibot can download and execute a payload onto a compromised system.[1]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

Sibot has been executed via a scheduled task.[1]

Groups That Use This Software

ID Name References
G0016 APT29

[1][2][3][4][5][6][7]

Campaigns

ID Name Description
C0024 SolarWinds Compromise

[1]

References

  1. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  2. NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021.
  3. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
  4. Secureworks CTU. (n.d.). IRON RITUAL. Retrieved February 24, 2022.
  1. NSA, FBI, DHS. (2021, April 15). Russian SVR Targets U.S. and Allied Networks. Retrieved April 16, 2021.
  2. UK NCSC. (2021, April 15). UK and US call out Russia for SolarWinds compromise. Retrieved April 16, 2021.
  3. Mandiant. (2020, April 27). Assembling the Russian Nesting Doll: UNC2452 Merged into APT29. Retrieved March 26, 2023.