Sbz

Malware updated a month ago (2024-10-15T10:03:08.359Z)

Download STIX

Preview STIX

SBZ is a potent malware, also known as a filestealer, that has been identified by cybersecurity researchers. It is characterized by its ability to upload any recent file matching a hardcoded set of extensions (.doc, .docx, .pdf, .rar, etc.) to the Command and Control (C2) server. Its discovery was facilitated by signatures associated with the Equation malware family, and it shares coding style and practices with this notorious group. The SBZ malware's SHA-256 hash is 80721e6b2d6168cf17b41d2f1ab0f1e6e3bf4db585754109f3b7ff9931ae9e5b, further aiding in its identification and tracking. The malware's coding style and practices bear a striking resemblance to those seen in STRAITBIZARRE (SBZ), an espionage platform suspected to be linked to a U.S.-based adversarial collective. However, despite the similarities, it has been clarified that the two are completely unrelated. The data format, naming convention, and URL scheme used by the C2 server (/h/pa) are also very similar to the SBZ filestealer, adding to the complexity and sophistication of the malware. In addition to the SBZ filestealer, malicious tools observed in related attacks include Tomiris downloader, download scheduler, .NET downloader and implant, Telemiris backdoor, Roopy stealer, JLORAT backdoor, JLOGRAB stealer, RATel open source RAT, Python Meterpreter loader, and Warzone commercial RAT. These findings underscore the extensive capabilities and potential threat posed by the SBZ malware and its associated cyberespionage activities.

Description last updated: 2024-10-15T09:18:32.759Z

What's your take? (Question 1 of 0)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Tomiris is a possible alias for Sbz. Tomiris is a malware group that has been active since at least 2019, known for using the backdoor QUIETCANARY. The group has also used Turla malware, indicating a possible cooperation or shared expertise between Tomiris and Turla. A significant development was observed in September 2022 when a Tunnu	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Sbz Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
MITRE	2 years ago	Tomiris backdoor and its connection to Sunshuttle and Kazuar
CERT-EU	a year ago	Kaspersky reveals 'elegant' malware resembling NSA code
CERT-EU	a year ago	StripedFly Malware's Covert Cryptocurrency Mining Operation
CERT-EU	a year ago	StripedFly Malware Operated Unnoticed for 5 Years, Infecting 1 Million Devices
CERT-EU	2 years ago	Kaspersky Analyzes Links Between Russian State-Sponsored APTs
CERT-EU	a year ago	StripedFly: Perennially flying under the radar – GIXtools
CERT-EU	2 years ago	Tomiris called, they want their Turla malware back
CERT-EU	a year ago	StripedFly: Perennially flying under the radar
CERT-EU	2 years ago	Tomiris called, they want their Turla malware back - GIXtools