SDBbot

SDBbot is a malicious software (malware) that infiltrates computer systems typically through deceptive downloads, emails, or websites. In the context of cyber threats, it falls under the category of custom malware, used by threat groups such as GOLD TAHOE. Other common offensive security tools and commodity malware include Cobalt Strike, PowerShell Empire, and SystemBC. Once inside a system, SDBbot can steal personal information, disrupt operations, or hold data hostage for ransom. It moves laterally within the compromised network, exfiltrates data, and deploys the Cl0p ransomware on as many systems as possible. The cybercriminal group Graceful Spider (also known as TA505, Gold Evergreen, TEMP.Warlock, Hive0065, Chimborazo, FIN11) distributed spearphishing emails impersonating Onehub in 2019 to trick users into downloading the SDBbot remote access trojan (RAT). This RAT has typical functionalities such as command shell, video recording of the screen, remote desktop, port forwarding, and file system access. The SDBbot RAT installers are x64-packed and decrypt parts of SDBbot’s code and strings upon execution. Using the domain admin, the actor was able to compromise several other accounts and execute malicious services and persistence mechanisms, namely SDBbot RAT Loaders. The email was designed to extract Active Directory (AD) discovery data and user credentials and to infect the environment with the SDBbot RAT. Proofpoint researchers speculate that the reboot functionality in the Get2 downloader is used to continue SDBbot’s execution after installation in the TA505 campaigns. The RAT component, named “BotDLL[.]dll”, stores its Command and Control servers (C&Cs) in a plaintext string or file (“ip.txt”).