Windows News and info 15th Anniversary 2009-2024

Windows 11 | Windows 10 Modifying => Patch Tuesday| Updates | Security | Privacy | Anti-virus => Topic started by: javajolt on April 12, 2021, 06:03:57 PM

Title: Alert — There's A New Malware Out There Snatching Users' Passwords
Post by: javajolt on April 12, 2021, 06:03:57 PM

(http://i.postimg.cc/wvTHZ5xg/password-stealers.jpg)

A previously undocumented malware downloader has been spotted in the wild in phishing attacks to deploy credential stealers and other malicious payloads.

Dubbed "Saint Bot," the malware is said to have first appeared on the scene in January 2021, with indications that it's under active development.

"Saint Bot is a downloader that appeared quite recently, and slowly is getting momentum. It was seen dropping stealers (i.e. Taurus Stealer) or further loaders (example), yet its design allows [it] to utilize it for distributing any kind of malware," said Aleksandra "Hasherezade" Doniec, a threat intelligence analyst at Malwarebytes.

"Furthermore, Saint Bot employs a wide variety of techniques which, although not novel, indicate some level of sophistication considering its relatively new appearance."

The infection chain analyzed by the cybersecurity firm begins with a phishing email containing an embedded ZIP file ("bitcoin.zip") that claims to be a bitcoin wallet when, in fact, it's a PowerShell script under the guise of .LNK shortcut file. This PowerShell script then downloads the next stage malware, a WindowsUpdate.exe executable, which, in turn, drops a second executable (InstallUtil.exe) that takes care of downloading two more executables named def.exe and putty.exe.

(http://i.postimg.cc/x8zZ4qm9/malware-attack.jpg)

While the former is a batch script responsible for disabling Windows Defender, putty.exe contains the malicious payload that eventually connects to a command-and-control (C2) server for further exploitation.

The obfuscation present in each stage of the infection, coupled with the anti-analysis techniques adopted by the malware, allows the malware operators to exploit the devices they were installed on without attracting attention.

Besides performing "self defense checks" to verify the presence of a debugger or a virtual environment, Saint Bot is designed to not execute in Romania and select countries within the Commonwealth of Independent States (CIS), which includes Armenia, Belarus, Kazakhstan, Moldova, Russia, and Ukraine.

The list of commands supported by the malware include —

   • downloading and executing other payloads retrieved from the C2 server

   • updating the bot malware, and

   • uninstalling itself from the compromised machine

While these capabilities may seem very small, the fact that Saint Bot serves as a downloader for other malware makes it dangerous enough.