SDBbot

The email was designed to extract Active Directory (AD) discovery data and user credentials and to infect the environment with the SDBbot RAT.

We found that a domain admin account was compromised... Using the domain admin, the actor was able to compromise several other accounts and execute malicious services and persistence mechanisms

On September 9 Proofpoint researchers observed tens of thousands of emails attempting to deliver Microsoft Excel attachments with English and Greek lures.

On October 7, instead of directly attached malicious Microsoft Excel files, Proofpoint researchers observed thousands of emails containing URL shortener links redirecting to a landing page that in turn links to an Excel sheet “request[.]xls”.

The available commands are: 2 - Get subcommand from C&C: “cmd” - Start a cmd[.]exe shell ... “run” - Execute command via cmd[.]exe , but don’t send output to the C&C

Every time main_template.docx was opened, VBA macros were executed and a fake Microsoft Office login window (FakeL.exe) was displayed to the user while a malicious payload executed in the background.

The employee receiving this email downloaded and opened the document, which contained malicious code. Once the code was executed, a persistence mechanism was installed and a malicious password harvester was executed.

We found that a domain admin account was compromised... Using the domain admin, the actor was able to compromise several other accounts and execute malicious services and persistence mechanisms

A registry value is created at “\SOFTWARE\Microsoft\<random 3 characters subkey>[random 1 character value name]” in HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER depending on user privileges.

A Meterpreter reverser shell was used... it was installed as a service using the execution of an encoded PowerShell script... execute malicious services and persistence mechanisms, namely SDBbot RAT Loaders.

If the bot is running with a regular user privilege, persistence is established using the registry “Run” method.

The DLLs were loaded to the memory space of winword.exe using LoadLibraryW API... SDBbot RAT loader DLL files were installed as persistence mechanisms; the loaders were injected into the process winlogon.exe every time the process was executed.

We found that a domain admin account was compromised... Using the domain admin, the actor was able to compromise several other accounts and execute malicious services and persistence mechanisms

A Meterpreter reverser shell was used... it was installed as a service using the execution of an encoded PowerShell script... execute malicious services and persistence mechanisms, namely SDBbot RAT Loaders.

If the bot is running with a regular user privilege, persistence is established using the registry “Run” method.

In malware, we often see threat actors that tend to obfuscate or encrypt their code in order to slow down the analysis of security researchers... many authors tend to use open-source packers but also craft their own custom packers.

The DLLs were loaded to the memory space of winword.exe using LoadLibraryW API... SDBbot RAT loader DLL files were installed as persistence mechanisms; the loaders were injected into the process winlogon.exe every time the process was executed.

15 - Write file ... 24 - Read file 25 - Create directory 26 - Delete file

We found that a domain admin account was compromised... Using the domain admin, the actor was able to compromise several other accounts and execute malicious services and persistence mechanisms

The content repeatedly describes malware and threat actors decoding, decrypting, deobfuscating, or unpacking payloads, strings, configuration data, commands, and C2 responses prior to execution or use.

DarkGate queries system locale information during execution. Later versions of DarkGate query GetSystemDefaultLCID for locale information to determine if the malware is executing in Russian-speaking countries.

“runreflective” - Download DLL from C&C, inject it into a freshly created rundll32[.]exe, and reflectively load it

A registry value is created at “\SOFTWARE\Microsoft\<random 3 characters subkey>[random 1 character value name]” in HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER depending on user privileges.

The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.

The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking whether the current user is an administrator, enumerating user sessions, and gathering account details from compromised hosts.

The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.

The downloader collects basic system information and sends it via an HTTP POST request to a hardcoded command and control (C&C) server... D - Computer name U - Username OS - Windows version PR - Pipe-delimited process list

The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").

DarkGate queries system locale information during execution. Later versions of DarkGate query GetSystemDefaultLCID for locale information to determine if the malware is executing in Russian-speaking countries.

“rdpwrap install” - This command enables RDP in the registry, but despite its name does not install the RDP Wrapper

The actor used the initially compromised system to escalate privileges and move laterally across additional systems on the network.

The content repeatedly describes threat actors and malware collecting, stealing, identifying, copying, or staging files, documents, credentials, logs, databases, and other information from compromised hosts or local systems.

It has some typical RAT functionality such as command shell, video recording of the screen, remote desktop, port forwarding, and file system access.

Agent Tesla can access the victim’s webcam and record video. AsyncRAT can record screen content on targeted systems. Bandook has modules that are capable of capturing video from a victim's webcam. ... ZxShell has a command to perform video device spying.

Examples in the content include malware extracting or unpacking ZIP, RAR, CAB, tar.gz, and other archived content, such as 'Emotet has used a self-extracting RAR file to deliver modules to victims' and 'Rocke has extracted tar.gz files after downloading them from a C2 server.'

The downloader collects basic system information and sends it via an HTTP POST request to a hardcoded command and control (C&C) server.

“portforward” - Setup a proxy between a target host and port and the C&C

If the operator adds loader URLs, the StealC clients (bots) that connect to the C2 server will be delivered one or more of these loader URLs. At this point, the StealC malware client will attempt to download and execute one of the payloads from the URLs provided by the server.

SDBbot RAT has been observed... This malware features remote-access capabilities, accepts commands from a C&C server such as video recording, and has the ability to exfiltrate data from the victimized devices and networks.

SDBbot RAT has... the ability to exfiltrate data from the victimized devices and networks.

The system was also scheduled to reboot a random amount of time later... “reboot” - Reboot