1. Home
  2. Software
  3. Sibot

Sibot

Sibot is dual-purpose malware written in VBScript designed to achieve persistence on a compromised system as well as download and execute additional payloads. Microsoft discovered three Sibot variants in early 2021 during its investigation of APT29 and the SolarWinds cyber intrusion campaign.[1]

ID: S0589
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 12 March 2021
Last Modified: 20 April 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Sibot communicated with its C2 server via HTTP GET requests.[1]
Enterprise T1059 .005 Command and Scripting Interpreter: Visual Basic

Sibot executes commands using VBScript.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

Sibot can decrypt data received from a C2 and save to a file.[1]
Enterprise T1070 Indicator Removal on Host

Sibot will delete an associated registry key if a certain server response is received.[1]
.004 File Deletion

Sibot will delete itself if a certain server response is received.[1]
Enterprise T1105 Ingress Tool Transfer

Sibot can download and execute a payload onto a compromised system.[1]
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Sibot has downloaded a DLL to the C:\windows\system32\drivers\ folder and renamed it with a .sys extension.[1]
Enterprise T1112 Modify Registry

Sibot has installed a second-stage script in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot registry key.[1]
Enterprise T1027 Obfuscated Files or Information

Sibot has obfuscated scripts used in execution.[1]
Enterprise T1012 Query Registry

Sibot has queried the registry for proxy server information.[1]
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Sibot has been executed via a scheduled task.[1]
Enterprise T1218 .005 System Binary Proxy Execution: Mshta

Sibot has been executed via MSHTA application.[1]
.011 System Binary Proxy Execution: Rundll32

Sibot has executed downloaded DLLs with rundll32.exe.[1]
Enterprise T1016 System Network Configuration Discovery

Sibot checked if the compromised system is configured to use proxies.[1]
Enterprise T1049 System Network Connections Discovery

Sibot has retrieved a GUID associated with a present LAN connection on a compromised machine.[1]
Enterprise T1102 Web Service

Sibot has used a legitimate compromised website to download DLLs to the victim's machine.[1]
Enterprise T1047 Windows Management Instrumentation

Sibot has used WMI to discover network connections and configurations. Sibot has also used the Win32_Process class to execute a malicious DLL.[1]

Groups That Use This Software

ID Name References
G0016 APT29

[1][2][3][4]

References

  1. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  2. NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021.
  1. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
  2. Secureworks CTU. (n.d.). IRON RITUAL. Retrieved February 24, 2022.