A new malware downloader has been discovered by researchers that are using phishing attacks to advance credential infiltrators and other malicious payload malware.
The new malware downloader is named “Saint Bot” and has apparently been in the works since January 2021.
This also speculated the fact that it is under progressive development by the threat actor or actors.
Experts analyzing the downloader malware have stated that it has shown up quite recently and is gradually gaining traction.
Cases of the Saint Bot dropping stealers like the Taurus Stealer or advanced loaders have come forth that confirm its basic architecture to distribute various types of malware additionally.
Researchers are also of the opinion that the Saint Bot downloader utilizes a broad spectrum of measures and countermeasures that direct towards common but sophisticated levels.
Also read,
This further drives that the threat actor or actors initiating the malware may have an initial experience of malware deployment.
Infection chain of the “Saint Bot” downloader:
Detailing the malware downloader, the infection chain is initiated via a phishing email that carries an embedded ZIP file claiming to be a bitcoin wallet.
This “bitcoin wallet” is actually a PowerShell script that appears as a .LNK shortcut file.
The malicious Powershell script initiates the further downloading of next stage malware which is a WindowsUpdate.exe executable.
The executable subsequently downloads a second executable (InstallUtil.exe) that takes care of downloading two more executables named def.exe and putty.exe.
Mal-Abilities of the malware:
While the former is a batch script responsible for disabling Windows Defender, putty.exe contains the malicious payload that eventually connects to a command-and-control (C2) server for further exploitation.
Another singular ability of the malware is that it can mask its presence in each stage of the infection chain that facilitates the exploitation of infected devices unbeknownst to the user.
Other abilities of the downloader include downloading and executing other payloads retrieved from the C2 server, updating the bot malware, and uninstalling itself from the infected device.
In a peculiar occurrence, it has also come forth that the malicious payloads are transmitted from a file hosted on Discord.
This has seemed to be an active trend mong threat actors who are exploiting authentic functionalities of platforms like Discord for malicious activities like evading security, C2 transmissions, and delivering malware.
Experts have noted that the malware capabilities of the Saint Bot may appear as common and limited, however, this very fact makes it even more hazardous.
The malware downloader poses a very severe cybersecurity threat that deploys further critical malware.
