S0589 Sibot
Sibot is dual-purpose malware written in VBScript designed to achieve persistence on a compromised system as well as download and execute additional payloads. Microsoft discovered three Sibot variants in early 2021 during its investigation of APT29 and the SolarWinds Compromise.1
| Item | Value |
|---|---|
| ID | S0589 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 12 March 2021 |
| Last Modified | 27 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Sibot communicated with its C2 server via HTTP GET requests.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.005 | Visual Basic | Sibot executes commands using VBScript.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Sibot can decrypt data received from a C2 and save to a file.1 |
| enterprise | T1070 | Indicator Removal | Sibot will delete an associated registry key if a certain server response is received.1 |
| enterprise | T1070.004 | File Deletion | Sibot will delete itself if a certain server response is received.1 |
| enterprise | T1105 | Ingress Tool Transfer | Sibot can download and execute a payload onto a compromised system.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | Sibot has downloaded a DLL to the C:\windows\system32\drivers\ folder and renamed it with a .sys extension.1 |
| enterprise | T1112 | Modify Registry | Sibot has modified the Registry to install a second-stage script in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.010 | Command Obfuscation | Sibot has obfuscated scripts used in execution.1 |
| enterprise | T1027.011 | Fileless Storage | Sibot has installed a second-stage script in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot registry key.1 |
| enterprise | T1012 | Query Registry | Sibot has queried the registry for proxy server information.1 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | Sibot has been executed via a scheduled task.1 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.005 | Mshta | Sibot has been executed via MSHTA application.1 |
| enterprise | T1218.011 | Rundll32 | Sibot has executed downloaded DLLs with rundll32.exe.1 |
| enterprise | T1016 | System Network Configuration Discovery | Sibot checked if the compromised system is configured to use proxies.1 |
| enterprise | T1049 | System Network Connections Discovery | Sibot has retrieved a GUID associated with a present LAN connection on a compromised machine.1 |
| enterprise | T1102 | Web Service | Sibot has used a legitimate compromised website to download DLLs to the victim’s machine.1 |
| enterprise | T1047 | Windows Management Instrumentation | Sibot has used WMI to discover network connections and configurations. Sibot has also used the Win32_Process class to execute a malicious DLL.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0016 | APT29 | 1234675 |
References
-
Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021. ↩
-
MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021. ↩
-
Secureworks CTU. (n.d.). IRON RITUAL. Retrieved February 24, 2022. ↩
-
Mandiant. (2020, April 27). Assembling the Russian Nesting Doll: UNC2452 Merged into APT29. Retrieved March 26, 2023. ↩
-
NSA, FBI, DHS. (2021, April 15). Russian SVR Targets U.S. and Allied Networks. Retrieved April 16, 2021. ↩
-
UK NCSC. (2021, April 15). UK and US call out Russia for SolarWinds compromise. Retrieved April 16, 2021. ↩