S1018 Saint Bot
Saint Bot is a .NET downloader that has been used by Ember Bear since at least March 2021.12
| Item | Value |
|---|---|
| ID | S1018 |
| Type | MALWARE |
| Version | 1.0 |
| Created | 09 June 2022 |
| Last Modified | 09 June 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1548 | Abuse Elevation Control Mechanism | - |
| enterprise | T1548.002 | Bypass User Account Control | Saint Bot has attempted to bypass UAC using fodhelper.exe to escalate privileges.2 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Saint Bot has used HTTP for C2 communications.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Saint Bot has established persistence by being copied to the Startup directory or through the \Software\Microsoft\Windows\CurrentVersion\Run registry key.12 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | Saint Bot has used PowerShell for execution.2 |
| enterprise | T1059.003 | Windows Command Shell | Saint Bot has used cmd.exe and .bat scripts for execution.2 |
| enterprise | T1059.005 | Visual Basic | Saint Bot has used .vbs scripts for execution.2 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | Saint Bot has used Base64 to encode its C2 communications.1 |
| enterprise | T1005 | Data from Local System | Saint Bot can collect files and information from a compromised host.1 |
| enterprise | T1622 | Debugger Evasion | Saint Bot has used is_debugger_present as part of its environmental checks.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Saint Bot can deobfuscate strings and files for execution.1 |
| enterprise | T1083 | File and Directory Discovery | Saint Bot can search a compromised host for specific files.2 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Saint Bot can run a batch script named del.bat to remove any Saint Bot payload-linked files from a compromise system if anti-analysis or locale checks fail.2 |
| enterprise | T1105 | Ingress Tool Transfer | Saint Bot can download additional files onto a compromised host.2 |
| enterprise | T1036 | Masquerading | Saint Bot has renamed malicious binaries as wallpaper.mp4 and slideshow.mp4 to avoid detection.12 |
| enterprise | T1036.005 | Match Legitimate Name or Location | Saint Bot has been disguised as a legitimate executable, including as Windows SDK.1 |
| enterprise | T1106 | Native API | Saint Bot has used different API calls, including GetProcAddress, VirtualAllocEx, WriteProcessMemory, CreateProcessA, and SetThreadContext.12 |
| enterprise | T1027 | Obfuscated Files or Information | Saint Bot has been obfuscated to help avoid detection.2 |
| enterprise | T1027.002 | Software Packing | Saint Bot has been packed using a dark market crypter.1 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | Saint Bot has been distributed as malicious attachments within spearphishing emails.12 |
| enterprise | T1566.002 | Spearphishing Link | Saint Bot has been distributed through malicious links contained within spearphishing emails.2 |
| enterprise | T1057 | Process Discovery | Saint Bot has enumerated running processes on a compromised host to determine if it is running under the process name dfrgui.exe.2 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.001 | Dynamic-link Library Injection | Saint Bot has injected its DLL component into EhStorAurhn.exe.1 |
| enterprise | T1055.004 | Asynchronous Procedure Call | Saint Bot has written its payload into a newly-created EhStorAuthn.exe process using ZwWriteVirtualMemory and executed it using NtQueueApcThread and ZwAlertResumeThread.1 |
| enterprise | T1055.012 | Process Hollowing | The Saint Bot loader has used API calls to spawn MSBuild.exe in a suspended state before injecting the decrypted Saint Bot binary into it.2 |
| enterprise | T1012 | Query Registry | Saint Bot has used check_registry_keys as part of its environmental checks.1 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | Saint Bot has created a scheduled task named “Maintenance” to establish persistence.1 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.004 | InstallUtil | Saint Bot had used InstallUtil.exe to download and deploy executables.1 |
| enterprise | T1218.010 | Regsvr32 | Saint Bot has used regsvr32 to execute scripts.12 |
| enterprise | T1082 | System Information Discovery | Saint Bot can identify the OS version, CPU, and other details from a victim’s machine.1 |
| enterprise | T1614 | System Location Discovery | Saint Bot has conducted system locale checks to see if the compromised host is in Russia, Ukraine, Belarus, Armenia, Kazakhstan, or Moldova.12 |
| enterprise | T1016 | System Network Configuration Discovery | Saint Bot can collect the IP address of a victim machine.1 |
| enterprise | T1033 | System Owner/User Discovery | Saint Bot can collect the username from a compromised host.1 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.001 | Malicious Link | Saint Bot has relied on users to click on a malicious link delivered via a spearphishing.2 |
| enterprise | T1204.002 | Malicious File | Saint Bot has relied upon users to execute a malicious attachment delivered via spearphishing.12 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.001 | System Checks | Saint Bot has run several virtual machine and sandbox checks, including checking if Sbiedll.dll is present in a list of loaded modules, comparing the machine name to HAL9TH and the user name to JohnDoe, and checking the BIOS version for known virtual machine identifiers.2 |
| enterprise | T1497.003 | Time Based Evasion | Saint Bot has used the command timeout 20 to pause the execution of its initial loader.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1003 | Ember Bear | 2 |
References
-
Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩