S0461 SDBbot
SDBbot is a backdoor with installer and loader components that has been used by TA505 since at least 2019.21
| Item | Value |
|---|---|
| ID | S0461 |
| Associated Names | |
| Type | MALWARE |
| Version | 2.1 |
| Created | 01 June 2020 |
| Last Modified | 18 July 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | SDBbot has the ability to add a value to the Registry Run key to establish persistence if it detects it is running with regular user privilege. 21 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | SDBbot has the ability to use the command shell to execute commands on a compromised host.2 |
| enterprise | T1005 | Data from Local System | SDBbot has the ability to access the file system on a compromised host.2 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | SDBbot has the ability to decrypt and decompress its payload to enable code execution.21 |
| enterprise | T1546 | Event Triggered Execution | - |
| enterprise | T1546.011 | Application Shimming | SDBbot has the ability to use application shimming for persistence if it detects it is running as admin on Windows XP or 7, by creating a shim database to patch services.exe.2 |
| enterprise | T1546.012 | Image File Execution Options Injection | SDBbot has the ability to use image file execution options for persistence if it detects it is running with admin privileges on a Windows version newer than Windows 7.2 |
| enterprise | T1041 | Exfiltration Over C2 Channel | SDBbot has sent collected data from a compromised host to its C2 servers.3 |
| enterprise | T1083 | File and Directory Discovery | SDBbot has the ability to get directory listings or drive information on a compromised host.2 |
| enterprise | T1070 | Indicator Removal | SDBbot has the ability to clean up and remove data structures from a compromised host.2 |
| enterprise | T1070.004 | File Deletion | SDBbot has the ability to delete files from a compromised host.2 |
| enterprise | T1105 | Ingress Tool Transfer | SDBbot has the ability to download a DLL from C2 to a compromised host.2 |
| enterprise | T1095 | Non-Application Layer Protocol | SDBbot has the ability to communicate with C2 with TCP over port 443.2 |
| enterprise | T1027 | Obfuscated Files or Information | SDBbot has the ability to XOR the strings for its installer component with a hardcoded 128 byte key.2 |
| enterprise | T1027.002 | Software Packing | SDBbot has used a packed installer file.1 |
| enterprise | T1057 | Process Discovery | SDBbot can enumerate a list of running processes on a compromised machine.3 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.001 | Dynamic-link Library Injection | SDBbot has the ability to inject a downloaded DLL into a newly created rundll32.exe process.2 |
| enterprise | T1090 | Proxy | SDBbot has the ability to use port forwarding to establish a proxy between a target host and C2.2 |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.001 | Remote Desktop Protocol | SDBbot has the ability to use RDP to connect to victim’s machines.2 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.011 | Rundll32 | SDBbot has used rundll32.exe to execute DLLs.3 |
| enterprise | T1082 | System Information Discovery | SDBbot has the ability to identify the OS version, OS bit information and computer name.23 |
| enterprise | T1614 | System Location Discovery | SDBbot can collected the country code of a compromised machine.3 |
| enterprise | T1016 | System Network Configuration Discovery | SDBbot has the ability to determine the domain name and whether a proxy is configured on a compromised host.2 |
| enterprise | T1033 | System Owner/User Discovery | SDBbot has the ability to identify the user on a compromised host.2 |
| enterprise | T1125 | Video Capture | SDBbot has the ability to record video on a compromised host.21 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0092 | TA505 | 21 |
References
-
Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020. ↩↩↩↩↩↩
-
Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022. ↩↩↩↩↩