Sdbot

Malware updated 7 months ago (2024-05-05T06:17:38.324Z)

Download STIX

Preview STIX

SDBot is a malicious software, or malware, that has been leveraged by threat actors known as TA505 and CL0P to exploit vulnerabilities in computer systems. It is used as a backdoor to enable the execution of commands and functions in the compromised computer, often without the user's knowledge. The malware can infect systems through suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. SDBot also has the capability to drop copies of itself in removable drives and network shares, further propagating the infection. In 2019, TA505 actors used SDBot as part of a phishing campaign involving a macro-enabled document. This campaign utilized a Get2 malware dropper to download SDBot and another malware called FlawedGrace. These actors have a sophisticated toolkit that includes other malware such as FlawedAmmyy/FlawedGrace RAT, SDBot RAT, and Truebot downloader module, allowing them to collect sensitive information and spread their malware extensively. Organizations should be particularly aware of SDBot due to its association with Clop ransomware. CL0P actors use SDBot for application shimming for persistence and to avoid detection. They also use it as a backdoor to enable other commands and functions to be executed in the compromised computer. Furthermore, SDBot has been observed delivering Clop as the final payload, highlighting the potential severity of an SDBot infection. Therefore, understanding and mitigating against SDBot is crucial to preventing the deployment of Clop ransomware.

Description last updated: 2024-05-05T05:36:02.336Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Rat

Payload

Ransomware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The FlawedGrace Malware is associated with Sdbot. FlawedGrace is a notorious malware, a remote access trojan (RAT), that has been used extensively in cyberattacks. It was first brought to light in June 2023 when The DFIR Report revealed its use in Truebot operations. In these operations, following the successful download of a malicious file, Truebo	Unspecified	2
The Clop Malware is associated with Sdbot. Clop, a malicious software (malware), is linked to a Russian-speaking cybercriminal group also known as Cl0p. It is designed to exploit and damage computer systems by stealing personal information, disrupting operations, or holding data hostage for ransom. In May 2023, the Clop group began exploitin	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The TA505 Threat Actor is associated with Sdbot. TA505, also known as Cl0p Ransomware Gang and Lace Tempest, is a highly active and sophisticated cybercriminal group. The group has been associated with various high-profile cyber-attacks, demonstrating adaptability through a multi-vector approach to their operations. In June 2023, the U.S. Cybersec	Unspecified	2

Source Document References

Information about the Sdbot Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Flashpoint	2 years ago	No title
MITRE	2 years ago	Threat Assessment: Clop Ransomware
CERT-EU	a year ago	Bitdefender Threat Debrief \| July 2023