Sibot Malware

Sibot is a malware loader that is used in the middle-stages of the attack chain. It represents one of the threatening tools that have been observed to be used by the Nobelium (UNC2542) APT. This new malware strain was discovered by Microsoft who are continuing the monitor the activities of the hacker group ever since the massive supply-chain attack against SolarWinds that was carried out last year. As a result of the attack operation, 18,000 SolarWinds customers were impacted. At that time the previously unknown hacker collective was assigned the name Solarigate.

 According to the findings disclosed by Microsoft, Sibot Malware is a custom-built malware strain. It is implemented in VBScript, the Active Scripting language that Microsoft developed by using Visual Basic as a guideline. Sibot is designed to leave a low footprint on the compromised machine leading to reduced chances of getting detected. The technique that allows this consists of enabling Sibot to download and run code with requiring for the compromised endpoint to be changed. Instead, the malware threat simply updates the hosted DLL. Furthermore, Sibot's VBScript file pretends to be a legitimate Windows task while being stored in either the registry of the infected system or somewhere on the disk in an obfuscated format.

 The main task of Sibot is to establish a persistence mechanism and then to fetch and execute the next-stage payload from the Command-and-Control (C2, C&C) servers. Persistence is achieved through a scheduled task that calls an MSHTA application (a signed Microsoft application that runs Microsoft HTML Applications). The Sibot Malware is then initiated by the obfuscated script.