Skip to content

S0589 Sibot

Sibot is dual-purpose malware written in VBScript designed to achieve persistence on a compromised system as well as download and execute additional payloads. Microsoft discovered three Sibot variants in early 2021 during its investigation of APT29 and the SolarWinds Compromise.1

Item Value
ID S0589
Associated Names
Version 1.1
Created 12 March 2021
Last Modified 27 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Sibot communicated with its C2 server via HTTP GET requests.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.005 Visual Basic Sibot executes commands using VBScript.1
enterprise T1140 Deobfuscate/Decode Files or Information Sibot can decrypt data received from a C2 and save to a file.1
enterprise T1070 Indicator Removal Sibot will delete an associated registry key if a certain server response is received.1
enterprise T1070.004 File Deletion Sibot will delete itself if a certain server response is received.1
enterprise T1105 Ingress Tool Transfer Sibot can download and execute a payload onto a compromised system.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location Sibot has downloaded a DLL to the C:\windows\system32\drivers\ folder and renamed it with a .sys extension.1
enterprise T1112 Modify Registry Sibot has modified the Registry to install a second-stage script in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot.1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.010 Command Obfuscation Sibot has obfuscated scripts used in execution.1
enterprise T1027.011 Fileless Storage Sibot has installed a second-stage script in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot registry key.1
enterprise T1012 Query Registry Sibot has queried the registry for proxy server information.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Sibot has been executed via a scheduled task.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.005 Mshta Sibot has been executed via MSHTA application.1
enterprise T1218.011 Rundll32 Sibot has executed downloaded DLLs with rundll32.exe.1
enterprise T1016 System Network Configuration Discovery Sibot checked if the compromised system is configured to use proxies.1
enterprise T1049 System Network Connections Discovery Sibot has retrieved a GUID associated with a present LAN connection on a compromised machine.1
enterprise T1102 Web Service Sibot has used a legitimate compromised website to download DLLs to the victim’s machine.1
enterprise T1047 Windows Management Instrumentation Sibot has used WMI to discover network connections and configurations. Sibot has also used the Win32_Process class to execute a malicious DLL.1

Groups That Use This Software

ID Name References
G0016 APT29 1234675