Saint Bot is a downloader that appeared recently, and is slowly gaining momentum. Thieves (Taurus Stealer) or additional chargers were seen falling, but its design allows it to be used to distribute any type of malware in addition to employing a wide variety of techniques that, although not novel, indicate a certain level of sophistication considering its relatively new appearance.
The infection chain analyzed by the cybersecurity firm begins with a phishing email containing an embedded ZIP file (“bitcoin.zip”) claiming to be a bitcoin wallet when, in fact, it is a PowerShell script under the guise of a file of shortcut .LNK. This PowerShell script then downloads the malware from the next stage, a WindowsUpdate.exe executable, which in turn drops a second executable (InstallUtil.exe) that is responsible for downloading two more executables called def.exe and putty. exe.
This threat has the purpose of implementing additional malware on the compromised system. It is likely to be used as a first stage payload, which can sit idle and wait for further instructions from the command and control server. Depending on the Saint Bot Malware configuration, it can disguise its malicious process under different names; It seems that it commonly uses the fake process ‘EhStorAurhn.exe’.
Cybersecurity experts mention that it has the ability to avoid certain types of targets. First, it will check the default language settings of the infected system. If it belongs to Russia, Ukraine, Belarus, Armenia, Kazakhstan, Romania or Moldova, it will not proceed with the attack. Like other Trojan downloaders, it also checks registry entries and system drivers for strings typical of virtual environments. In this way, threats like Saint Bot Malware try to bypass the controlled environments used for malware analysis.
Regardless of how sophisticated Saint Bot Malware is, you can be sure that stopping it is not difficult. All you need to do is use an anti-malware software package remember that you can never be completely protected.
Related reads:
PoS Malware is a Virus that steals financial data
OMG Cable – A method to steal all your data
[…] reads:Saint bot – A new password stealing threatQlocker new ransomware that puts QNAP devices at […]
[…] also:Saint bot – A new password stealing threatRedline, the malware that targets […]