A new malware variant being referred to as Saint Bot malware is being shared using phishing emails that feature a Bitcoin-themed lure. As Bitcoin values continue surge upwards it is thought that the lure will be more effective than ever and fool many into clicking on the attached files to use the bitcoin wallet.
The phishing emails inform the recipient that a Bitcoin wallet in the included Zip file. The Zip file comes with a text file with instructions and a LNK file that has an embedded PowerShell script. A PowerShell downloader installs an obfuscated .Net dropper and downloader, which will then load a BAT script that disables Windows Defender and the Saint Bot malware binary. If someone should follows these instructions it will set off a process that will result in the Saint Bot malware being installed on the device.
A feature of the Saint Bot malware dropper is that is can deliver secondary payloads including information stealers, although it can be used to drop any possible strain of malware. This new strain was initially discovered by researchers at Malwarebytes. They found that there are no novel techniques at play with this malware. However, appears that the malware is being continually evolved. Currently, detections have been at a comparatively minimal but Saint Bot malware could grow into a serious threat for email users.
Once installed the malware can find out if it is in a controlled environment and will remove itself should that be the case. Conversely, should it not be a controlled environment the malware will communicate with its hard-coded command and control servers, send information collated from the infected system, and install secondary payloads to the infected device using Discord.
The malware is not characteristic of a particular threat group and could well be shared to multiple actors using darknet hacking forums, but it could well become a significant threat and be used in widespread campaigns to take advantage of the opportunity in the malware-as-a-service (MaaS) market created by the takedown of the Emotet Trojan.
Safeguarding your database from malware downloaders such as Saint Bot malware requires a defense in depth approach. The simplest method of preventing infections is to implement an advanced spam filtering solution such as SpamTitan to block the phishing emails that spread the malware. Antivirus software should also be configured on all endpoints and set to update automatically, and communication with the C2 servers should be tackled using firewall rules.
Along with technical security, it is crucial to conduct security awareness training to the workforce to help staff spot malicious emails and show them how to react when a possible threat is discovered.