OVERVIEW

The Sibot malware is a malware family implemented in Visual Basic. It is used to establish persistence on a system, as well as downloading additional payloads, and execute additional commands from a command and control (C2) server. Sibot rose to prominence for its role in the high-profile SolarWinds compromise in late 2020.

TARGETING

Sibot is known to be used by Dark Halo (aka Nobellium, UNC2452) during the SolarWinds compromise. While media reports indicated that the adversary had compromised potentially thousands of SolarWinds, further investigation revealed that their targeting was much more constrained. Major targets included various US government departments and high tech firms.

SIBOT INSTALLATION

Upon execution, Sibot contacts a legitimate, but compromised, website and downloads a DLL file. It should be noted that, as of writing, the actor has used a different compromised host for each target.

This file is then downloaded into C:\windows\system32\drivers\ and is modified to add a .sys extension. This DLL is then executed using rundll32.exe.

SIBOT PERSISTENCE

There are at least 3 known variants of this malware, with each establishing persistence slightly differently.

Variant A – Writes the second stage script to the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot.

Variant B – Created a scheduled task that is scheduled to run daily. The task is saved at the location: C:\Windows\System32\Tasks\Microsoft\Windows\WindowsUpdate\sibot

And runs the command:

rundll32.exe vbscript:”..\mshtml,RunHTMLApplication “+Execute(CreateObject(“WScript.Shell”).RegRead(“HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot\”))(window.close)

Variant C – This variant contains only the standalone second stage script contained in Variant A. The script, however, is configured to run from a file instead of the Windows Registry.

SIBOT MODULES

The second stage of the malware is used to execute additional commands.

SIBOT COMMUNICATION

The malware establishes a connection with its command and control (C2) server. It sets the user agent string and the connection GUID as HTTP header variables in the HTTP request.

Join our newsletter

Discover More!