SDBbot

SDBbot is a backdoor with installer and loader components that has been used by TA505 since at least 2019.[1][2]

ID: S0461
Type: MALWARE
Platforms: Windows
Version: 2.0
Created: 01 June 2020
Last Modified: 29 March 2021

Techniques Used

Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

SDBbot has the ability to add a value to the Registry Run key to establish persistence if it detects it is running with regular user privilege. [1][2]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

SDBbot has the ability to use the command shell to execute commands on a compromised host.[1]

Enterprise T1005 Data from Local System

SDBbot has the ability to access the file system on a compromised host.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

SDBbot has the ability to decrypt and decompress its payload to enable code execution.[1][2]

Enterprise T1546 .012 Event Triggered Execution: Image File Execution Options Injection

SDBbot has the ability to use image file execution options for persistence if it detects it is running with admin privileges on a Windows version newer than Windows 7.[1]

.011 Event Triggered Execution: Application Shimming

SDBbot has the ability to use application shimming for persistence if it detects it is running as admin on Windows XP or 7, by creating a shim database to patch services.exe.[1]

Enterprise T1083 File and Directory Discovery

SDBbot has the ability to get directory listings or drive information on a compromised host.[1]

Enterprise T1070 Indicator Removal on Host

SDBbot has the ability to clean up and remove data structures from a compromised host.[1]

.004 File Deletion

SDBbot has the ability to delete files from a compromised host.[1]

Enterprise T1105 Ingress Tool Transfer

SDBbot has the ability to download a DLL from C2 to a compromised host.[1]

Enterprise T1095 Non-Application Layer Protocol

SDBbot has the ability to communicate with C2 with TCP over port 443.[1]

Enterprise T1027 Obfuscated Files or Information

SDBbot has the ability to XOR the strings for its installer component with a hardcoded 128 byte key.[1]

.002 Software Packing

SDBbot has used a packed installer file.[2]

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

SDBbot has the ability to inject a downloaded DLL into a newly created rundll32.exe process.[1]

Enterprise T1090 Proxy

SDBbot has the ability to use port forwarding to establish a proxy between a target host and C2.[1]

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

SDBbot has the ability to use RDP to connect to victim's machines.[1]

Enterprise T1082 System Information Discovery

SDBbot has the ability to identify the OS version, country code, and computer name.[1]

Enterprise T1016 System Network Configuration Discovery

SDBbot has the ability to determine the domain name and whether a proxy is configured on a compromised host.[1]

Enterprise T1033 System Owner/User Discovery

SDBbot has the ability to identify the user on a compromised host.[1]

Enterprise T1125 Video Capture

SDBbot has the ability to record video on a compromised host.[1][2]

Groups That Use This Software

ID Name References
G0092 TA505

[1][2]

References