Sibot is dual-purpose malware written in VBScript designed to achieve persistence on a compromised system as well as download and execute additional payloads. Microsoft discovered three Sibot variants in early 2021 during its investigation of APT29 and the SolarWinds Compromise.[1]

ID: S0589
Platforms: Windows
Version: 1.1
Created: 12 March 2021
Last Modified: 27 March 2023

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Sibot communicated with its C2 server via HTTP GET requests.[1]

Enterprise T1059 .005 Command and Scripting Interpreter: Visual Basic

Sibot executes commands using VBScript.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

Sibot can decrypt data received from a C2 and save to a file.[1]

Enterprise T1070 Indicator Removal

Sibot will delete an associated registry key if a certain server response is received.[1]

.004 File Deletion

Sibot will delete itself if a certain server response is received.[1]

Enterprise T1105 Ingress Tool Transfer

Sibot can download and execute a payload onto a compromised system.[1]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Sibot has downloaded a DLL to the C:\windows\system32\drivers\ folder and renamed it with a .sys extension.[1]

Enterprise T1112 Modify Registry

Sibot has modified the Registry to install a second-stage script in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot.[1]

Enterprise T1027 .010 Obfuscated Files or Information: Command Obfuscation

Sibot has obfuscated scripts used in execution.[1]

.011 Obfuscated Files or Information: Fileless Storage

Sibot has installed a second-stage script in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot registry key.[1]

Enterprise T1012 Query Registry

Sibot has queried the registry for proxy server information.[1]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Sibot has been executed via a scheduled task.[1]

Enterprise T1218 .005 System Binary Proxy Execution: Mshta

Sibot has been executed via MSHTA application.[1]

.011 System Binary Proxy Execution: Rundll32

Sibot has executed downloaded DLLs with rundll32.exe.[1]

Enterprise T1016 System Network Configuration Discovery

Sibot checked if the compromised system is configured to use proxies.[1]

Enterprise T1049 System Network Connections Discovery

Sibot has retrieved a GUID associated with a present LAN connection on a compromised machine.[1]

Enterprise T1102 Web Service

Sibot has used a legitimate compromised website to download DLLs to the victim's machine.[1]

Enterprise T1047 Windows Management Instrumentation

Sibot has used WMI to discover network connections and configurations. Sibot has also used the Win32_Process class to execute a malicious DLL.[1]

Groups That Use This Software

ID Name References
G0016 APT29



ID Name Description
C0024 SolarWinds Compromise