1. Home
  2. Software
  3. Sibot

Sibot

Sibot is dual-purpose malware written in VBScript designed to achieve persistence on a compromised system as well as download and execute additional payloads. Microsoft discovered three Sibot variants in early 2021 during its investigation of APT29 and the SolarWinds Compromise.[1]

ID: S0589
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 12 March 2021
Last Modified: 27 March 2023
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Sibot communicated with its C2 server via HTTP GET requests.[1]
Enterprise T1059 .005 Command and Scripting Interpreter: Visual Basic

Sibot executes commands using VBScript.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

Sibot can decrypt data received from a C2 and save to a file.[1]
Enterprise T1070 Indicator Removal

Sibot will delete an associated registry key if a certain server response is received.[1]
.004 File Deletion

Sibot will delete itself if a certain server response is received.[1]
Enterprise T1105 Ingress Tool Transfer

Sibot can download and execute a payload onto a compromised system.[1]
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Sibot has downloaded a DLL to the C:\windows\system32\drivers\ folder and renamed it with a .sys extension.[1]
Enterprise T1112 Modify Registry

Sibot has modified the Registry to install a second-stage script in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot.[1]
Enterprise T1027 .010 Obfuscated Files or Information: Command Obfuscation

Sibot has obfuscated scripts used in execution.[1]
.011 Obfuscated Files or Information: Fileless Storage

Sibot has installed a second-stage script in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot registry key.[1]
Enterprise T1012 Query Registry

Sibot has queried the registry for proxy server information.[1]
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Sibot has been executed via a scheduled task.[1]
Enterprise T1218 .005 System Binary Proxy Execution: Mshta

Sibot has been executed via MSHTA application.[1]
.011 System Binary Proxy Execution: Rundll32

Sibot has executed downloaded DLLs with rundll32.exe.[1]
Enterprise T1016 System Network Configuration Discovery

Sibot checked if the compromised system is configured to use proxies.[1]
Enterprise T1049 System Network Connections Discovery

Sibot has retrieved a GUID associated with a present LAN connection on a compromised machine.[1]
Enterprise T1102 Web Service

Sibot has used a legitimate compromised website to download DLLs to the victim's machine.[1]
Enterprise T1047 Windows Management Instrumentation

Sibot has used WMI to discover network connections and configurations. Sibot has also used the Win32_Process class to execute a malicious DLL.[1]

Groups That Use This Software

ID Name References
G0016 APT29

[1][2][3][4][5][6][7]

Campaigns

ID Name Description
C0024 SolarWinds Compromise

[1]

References

  1. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  2. NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021.
  3. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
  4. Secureworks CTU. (n.d.). IRON RITUAL. Retrieved February 24, 2022.
  1. NSA, FBI, DHS. (2021, April 15). Russian SVR Targets U.S. and Allied Networks. Retrieved April 16, 2021.
  2. UK NCSC. (2021, April 15). UK and US call out Russia for SolarWinds compromise. Retrieved April 16, 2021.
  3. Mandiant. (2020, April 27). Assembling the Russian Nesting Doll: UNC2452 Merged into APT29. Retrieved March 26, 2023.