Skip to content

G1031 Saint Bear

Saint Bear is a Russian-nexus threat actor active since early 2021, primarily targeting entities in Ukraine and Georgia. The group is notable for a specific remote access tool, Saint Bot, and information stealer, OutSteel in campaigns. Saint Bear typically relies on phishing or web staging of malicious documents and related file types for initial access, spoofing government or related entities.21 Saint Bear has previously been confused with Ember Bear operations, but analysis of behaviors, tools, and targeting indicates these are distinct clusters.

Item Value
ID G1031
Associated Names Storm-0587, TA471, UAC-0056, Lorec53
Version 1.0
Created 25 May 2024
Last Modified 12 August 2024
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Storm-0587 1
TA471 2
UAC-0056 2
Lorec53 2

Techniques Used

Domain ID Name Use
enterprise T1583 Acquire Infrastructure -
enterprise T1583.006 Web Services Saint Bear has leveraged the Discord content delivery network to host malicious content for retrieval during initial access operations.2
enterprise T1059 Command and Scripting Interpreter Saint Bear has used the Windows Script Host (wscript) to execute intermediate files written to victim machines.2
enterprise T1059.001 PowerShell Saint Bear relies extensively on PowerShell execution from malicious attachments and related content to retrieve and execute follow-on payloads.2
enterprise T1059.003 Windows Command Shell Saint Bear initial loaders will also drop a malicious Windows batch file, available via open source GitHub repositories, that disables Microsoft Defender functionality.2
enterprise T1059.007 JavaScript Saint Bear has delivered malicious Microsoft Office files containing an embedded JavaScript object that would, on execution, download and execute OutSteel and Saint Bot.2
enterprise T1203 Exploitation for Client Execution Saint Bear has leveraged vulnerabilities in client applications such as CVE-2017-11882 in Microsoft Office to enable code execution in victim environments.2
enterprise T1589 Gather Victim Identity Information -
enterprise T1589.002 Email Addresses Saint Bear gathered victim email information in advance of phishing operations for targeted attacks.2
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools Saint Bear will modify registry entries and scheduled task objects associated with Windows Defender to disable its functionality.2
enterprise T1656 Impersonation Saint Bear has impersonated government and related entities in both phishing activity and developing web sites with malicious links that mimic legitimate resources.1
enterprise T1112 Modify Registry Saint Bear will leverage malicious Windows batch scripts to modify registry values associated with Windows Defender functionality.2
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.002 Software Packing Saint Bear clones .NET assemblies from other .NET binaries as well as cloning code signing certificates from other software to obfuscate the initial loader payload.2
enterprise T1027.013 Encrypted/Encoded File Saint Bear initial payloads included encoded follow-on payloads located in the resources file of the first-stage loader.2
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Saint Bear uses a variety of file formats, such as Microsoft Office documents, ZIP archives, PDF documents, and other items as phishing attachments for initial access.2
enterprise T1608 Stage Capabilities -
enterprise T1608.001 Upload Malware Saint Bear has used the Discord content delivery network for hosting malicious content referenced in links and emails.2
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing Saint Bear has used an initial loader malware featuring a legitimate code signing certificate associated with “Electrum Technologies GmbH.”2
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link Saint Bear has, in addition to email-based phishing attachments, used malicious websites masquerading as legitimate entities to host links to malicious files for user execution.21
enterprise T1204.002 Malicious File Saint Bear relies on user interaction and execution of malicious attachments and similar for initial execution on victim systems.2
enterprise T1497 Virtualization/Sandbox Evasion Saint Bear contains several anti-analysis and anti-virtualization checks.2

Software

ID Name References Techniques
S1017 OutSteel OutSteel is uniquely associated with Saint Bear as a post-exploitation document collection and exfiltration tool.2 Web Protocols:Application Layer Protocol Automated Collection Automated Exfiltration Windows Command Shell:Command and Scripting Interpreter AutoHotKey & AutoIT:Command and Scripting Interpreter Data from Local System Exfiltration Over C2 Channel File and Directory Discovery File Deletion:Indicator Removal Ingress Tool Transfer Lateral Tool Transfer Match Legitimate Resource Name or Location:Masquerading Spearphishing Link:Phishing Spearphishing Attachment:Phishing Process Discovery Malicious Link:User Execution Malicious File:User Execution
S1018 Saint Bot Saint Bot is closely correlated with Saint Bear operations as a common post-exploitation toolset.2 Bypass User Account Control:Abuse Elevation Control Mechanism Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Standard Encoding:Data Encoding Data from Local System Debugger Evasion Deobfuscate/Decode Files or Information File and Directory Discovery Hijack Execution Flow File Deletion:Indicator Removal Ingress Tool Transfer Masquerading Match Legitimate Resource Name or Location:Masquerading Native API Obfuscated Files or Information Software Packing:Obfuscated Files or Information Spearphishing Link:Phishing Spearphishing Attachment:Phishing Process Discovery Dynamic-link Library Injection:Process Injection Asynchronous Procedure Call:Process Injection Process Hollowing:Process Injection Query Registry Scheduled Task:Scheduled Task/Job Regsvr32:System Binary Proxy Execution InstallUtil:System Binary Proxy Execution System Information Discovery System Location Discovery System Network Configuration Discovery System Owner/User Discovery Malicious File:User Execution Malicious Link:User Execution Time Based Checks:Virtualization/Sandbox Evasion System Checks:Virtualization/Sandbox Evasion

References

  1. Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023. 

  2. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.