S1018 Saint Bot
Saint Bot is a .NET downloader that has been used by Saint Bear since at least March 2021.12
| Item | Value |
|---|---|
| ID | S1018 |
| Associated Names | |
| Type | MALWARE |
| Version | 2.0 |
| Created | 09 June 2022 |
| Last Modified | 08 October 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1548 | Abuse Elevation Control Mechanism | - |
| enterprise | T1548.002 | Bypass User Account Control | Saint Bot has attempted to bypass UAC using fodhelper.exe to escalate privileges.2 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Saint Bot has used HTTP for C2 communications.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Saint Bot has established persistence by being copied to the Startup directory or through the \Software\Microsoft\Windows\CurrentVersion\Run registry key.12 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | Saint Bot has used PowerShell for execution.2 |
| enterprise | T1059.003 | Windows Command Shell | Saint Bot has used cmd.exe and .bat scripts for execution.2 |
| enterprise | T1059.005 | Visual Basic | Saint Bot has used .vbs scripts for execution.2 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | Saint Bot has used Base64 to encode its C2 communications.1 |
| enterprise | T1005 | Data from Local System | Saint Bot can collect files and information from a compromised host.1 |
| enterprise | T1622 | Debugger Evasion | Saint Bot has used is_debugger_present as part of its environmental checks.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Saint Bot can deobfuscate strings and files for execution.1 |
| enterprise | T1083 | File and Directory Discovery | Saint Bot can search a compromised host for specific files.2 |
| enterprise | T1574 | Hijack Execution Flow | Saint Bot will use the malicious file slideshow.mp4 if present to load the core API provided by ntdll.dll to avoid any hooks placed on calls to the original ntdll.dll file by endpoint detection and response or antimalware software.2 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Saint Bot can run a batch script named del.bat to remove any Saint Bot payload-linked files from a compromise system if anti-analysis or locale checks fail.2 |
| enterprise | T1105 | Ingress Tool Transfer | Saint Bot can download additional files onto a compromised host.2 |
| enterprise | T1036 | Masquerading | Saint Bot has renamed malicious binaries as wallpaper.mp4 and slideshow.mp4 to avoid detection.12 |
| enterprise | T1036.005 | Match Legitimate Resource Name or Location | Saint Bot has been disguised as a legitimate executable, including as Windows SDK.1 |
| enterprise | T1106 | Native API | Saint Bot has used different API calls, including GetProcAddress, VirtualAllocEx, WriteProcessMemory, CreateProcessA, and SetThreadContext.12 |
| enterprise | T1027 | Obfuscated Files or Information | Saint Bot has been obfuscated to help avoid detection.2 |
| enterprise | T1027.002 | Software Packing | Saint Bot has been packed using a dark market crypter.1 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | Saint Bot has been distributed as malicious attachments within spearphishing emails.12 |
| enterprise | T1566.002 | Spearphishing Link | Saint Bot has been distributed through malicious links contained within spearphishing emails.2 |
| enterprise | T1057 | Process Discovery | Saint Bot has enumerated running processes on a compromised host to determine if it is running under the process name dfrgui.exe.2 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.001 | Dynamic-link Library Injection | Saint Bot has injected its DLL component into EhStorAurhn.exe.1 |
| enterprise | T1055.004 | Asynchronous Procedure Call | Saint Bot has written its payload into a newly-created EhStorAuthn.exe process using ZwWriteVirtualMemory and executed it using NtQueueApcThread and ZwAlertResumeThread.1 |
| enterprise | T1055.012 | Process Hollowing | The Saint Bot loader has used API calls to spawn MSBuild.exe in a suspended state before injecting the decrypted Saint Bot binary into it.2 |
| enterprise | T1012 | Query Registry | Saint Bot has used check_registry_keys as part of its environmental checks.1 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | Saint Bot has created a scheduled task named “Maintenance” to establish persistence.1 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.004 | InstallUtil | Saint Bot had used InstallUtil.exe to download and deploy executables.1 |
| enterprise | T1218.010 | Regsvr32 | Saint Bot has used regsvr32 to execute scripts.12 |
| enterprise | T1082 | System Information Discovery | Saint Bot can identify the OS version, CPU, and other details from a victim’s machine.1 |
| enterprise | T1614 | System Location Discovery | Saint Bot has conducted system locale checks to see if the compromised host is in Russia, Ukraine, Belarus, Armenia, Kazakhstan, or Moldova.12 |
| enterprise | T1016 | System Network Configuration Discovery | Saint Bot can collect the IP address of a victim machine.1 |
| enterprise | T1033 | System Owner/User Discovery | Saint Bot can collect the username from a compromised host.1 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.001 | Malicious Link | Saint Bot has relied on users to click on a malicious link delivered via a spearphishing.2 |
| enterprise | T1204.002 | Malicious File | Saint Bot has relied on users to execute a malicious attachment delivered via spearphishing.12 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.001 | System Checks | Saint Bot has run several virtual machine and sandbox checks, including checking if Sbiedll.dll is present in a list of loaded modules, comparing the machine name to HAL9TH and the user name to JohnDoe, and checking the BIOS version for known virtual machine identifiers.2 |
| enterprise | T1497.003 | Time Based Checks | Saint Bot has used the command timeout 20 to pause the execution of its initial loader.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1003 | Ember Bear | Ember Bear has used Saint Bot during operations, but is distinct from the threat actor Saint Bear.3 |
| G1031 | Saint Bear | Saint Bot is closely correlated with Saint Bear operations as a common post-exploitation toolset.2 |
References
-
Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024. ↩