1. Home
  2. Software
  3. Saint Bot

Saint Bot

Saint Bot is a .NET downloader that has been used by Saint Bear since at least March 2021.[1][2]

ID: S1018
Type: MALWARE
Platforms: Windows
Version: 2.0
Created: 09 June 2022
Last Modified: 08 October 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1005 从本地系统获取数据

Saint Bot can collect files and information from a compromised host.[1]
Enterprise T1036 伪装

Saint Bot has renamed malicious binaries as wallpaper.mp4 and slideshow.mp4 to avoid detection.[1][2]
.005 Match Legitimate Name or Location

Saint Bot has been disguised as a legitimate executable, including as Windows SDK.[1]
Enterprise T1574 劫持执行流

Saint Bot will use the malicious file slideshow.mp4 if present to load the core API provided by ntdll.dll to avoid any hooks placed on calls to the original ntdll.dll file by endpoint detection and response or antimalware software.[2]
Enterprise T1140 反混淆/解码文件或信息

Saint Bot can deobfuscate strings and files for execution.[1]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

Saint Bot has established persistence by being copied to the Startup directory or through the \Software\Microsoft\Windows\CurrentVersion\Run registry key.[1][2]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

Saint Bot has used PowerShell for execution.[2]
.003 命令与脚本解释器: Windows Command Shell

Saint Bot has used cmd.exe and .bat scripts for execution.[2]
.005 命令与脚本解释器: Visual Basic

Saint Bot has used .vbs scripts for execution.[2]
Enterprise T1071 .001 应用层协议: Web Protocols

Saint Bot has used HTTP for C2 communications.[1]
Enterprise T1132 .001 数据编码: Standard Encoding

Saint Bot has used Base64 to encode its C2 communications.[1]
Enterprise T1083 文件和目录发现

Saint Bot can search a compromised host for specific files.[2]
Enterprise T1106 本机API

Saint Bot has used different API calls, including GetProcAddress, VirtualAllocEx, WriteProcessMemory, CreateProcessA, and SetThreadContext.[1][2]
Enterprise T1012 查询注册表

Saint Bot has used check_registry_keys as part of its environmental checks.[1]
Enterprise T1027 混淆文件或信息

Saint Bot has been obfuscated to help avoid detection.[2]
.002 Software Packing

Saint Bot has been packed using a dark market crypter.[1]
Enterprise T1548 .002 滥用权限提升控制机制: Bypass User Account Control

Saint Bot has attempted to bypass UAC using fodhelper.exe to escalate privileges.[2]
Enterprise T1204 .001 用户执行: Malicious Link

Saint Bot has relied on users to click on a malicious link delivered via a spearphishing.[2]
.002 用户执行: Malicious File

Saint Bot has relied on users to execute a malicious attachment delivered via spearphishing.[1][2]
Enterprise T1070 .004 移除指标: File Deletion

Saint Bot can run a batch script named del.bat to remove any Saint Bot payload-linked files from a compromise system if anti-analysis or locale checks fail.[2]
Enterprise T1218 .004 系统二进制代理执行: InstallUtil

Saint Bot had used InstallUtil.exe to download and deploy executables.[1]
.010 系统二进制代理执行: Regsvr32

Saint Bot has used regsvr32 to execute scripts.[1][2]
Enterprise T1614 系统位置发现

Saint Bot has conducted system locale checks to see if the compromised host is in Russia, Ukraine, Belarus, Armenia, Kazakhstan, or Moldova.[1][2]
Enterprise T1082 系统信息发现

Saint Bot can identify the OS version, CPU, and other details from a victim's machine.[1]
Enterprise T1033 系统所有者/用户发现

Saint Bot can collect the username from a compromised host.[1]
Enterprise T1016 系统网络配置发现

Saint Bot can collect the IP address of a victim machine.[1]
Enterprise T1497 .001 虚拟化/沙盒规避: System Checks

Saint Bot has run several virtual machine and sandbox checks, including checking if Sbiedll.dll is present in a list of loaded modules, comparing the machine name to HAL9TH and the user name to JohnDoe, and checking the BIOS version for known virtual machine identifiers.[2]
.003 虚拟化/沙盒规避: Time Based Evasion

Saint Bot has used the command timeout 20 to pause the execution of its initial loader.[2]
Enterprise T1622 调试器规避

Saint Bot has used is_debugger_present as part of its environmental checks.[1]
Enterprise T1105 输入工具传输

Saint Bot can download additional files onto a compromised host.[2]
Enterprise T1057 进程发现

Saint Bot has enumerated running processes on a compromised host to determine if it is running under the process name dfrgui.exe.[2]
Enterprise T1055 .001 进程注入: Dynamic-link Library Injection

Saint Bot has injected its DLL component into EhStorAurhn.exe.[1]
.004 进程注入: Asynchronous Procedure Call

Saint Bot has written its payload into a newly-created EhStorAuthn.exe process using ZwWriteVirtualMemory and executed it using NtQueueApcThread and ZwAlertResumeThread.[1]
.012 进程注入: Process Hollowing

The Saint Bot loader has used API calls to spawn MSBuild.exe in a suspended state before injecting the decrypted Saint Bot binary into it.[2]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

Saint Bot has been distributed as malicious attachments within spearphishing emails.[1][2]
.002 钓鱼: Spearphishing Link

Saint Bot has been distributed through malicious links contained within spearphishing emails.[2]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

Saint Bot has created a scheduled task named "Maintenance" to establish persistence.[1]

Groups That Use This Software

ID Name References
G1003 Ember Bear

Ember Bear has used Saint Bot during operations, but is distinct from the threat actor Saint Bear.[3]
G1031 Saint Bear

Saint Bot is closely correlated with Saint Bear operations as a common post-exploitation toolset.[2]

References

  1. Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022.
  2. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
  1. US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024.