Sibot

Malware Profile Updated 2 months ago
Download STIX
Preview STIX
Sibot is a malware that operates as a dual-purpose VBScript, designed to achieve persistence on an infected machine and then download and execute payloads from a remote C2 server. It reaches out to a compromised website to download a DLL to a folder under System32. Malware is harmful software capable of damaging computer systems, stealing personal information, disrupting operations, or holding data hostage for ransom. Since December 2020, the security community has identified a growing collection of payloads attributed to the NOBELIUM actor, including GoldMax, GoldFinder, and Sibot malware, as well as TEARDROP, SUNSPOT, Raindrop, and most recently, FLIPFLOP. These malwares are used for layered persistence, allowing them to maintain their presence on an infected device and evade detection. Microsoft analyzed the GoldMax, GoldFinder, and Sibot malware in March 2021. The analysis showed how the NOBELIUM group uses these malwares to achieve persistence on compromised devices. This highlights the importance of maintaining strong cybersecurity measures to prevent malware attacks and protect sensitive information.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Microsoft
Payload
Malware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
TEARDROPUnspecified
1
Teardrop is a sophisticated malware used in cyber attacks, often associated with APT29/Cozy Bear, a group known for deploying advanced tactics and techniques. It has been linked to the Solorigate (SUNBURST) backdoor and is part of a suite of tools including Raindrop, GoldMax, and others used by the
RaindropUnspecified
1
Raindrop is a type of malware discovered during the Solorigate investigation, along with other malicious software such as TEARDROP, SUNBURST, and various custom loaders for the Cobalt Strike beacon. These malware types, including Raindrop, are likely generated using custom Artifact Kit templates. Ra
SUNSPOTUnspecified
1
Sunspot is a sophisticated and novel malware associated with the SolarWinds intrusion that occurred in December 2020. This malicious software, linked to COZY BEAR (also known as APT29 or "The Dukes"), infiltrates systems undetected, often through suspicious downloads, emails, or websites. Once insid
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
NOBELIUMUnspecified
1
Nobelium, a threat actor linked to Russia's SVR, has been noted for its persistent and malicious activities against diplomatic entities. The group has particularly targeted French interests, as reported by ANSSI (France's National Agency for the Security of Information Systems). Their methods includ
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Sibot Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence - Microsoft Security Blog
MITRE
a year ago
Breaking down NOBELIUM’s latest early-stage toolset - Microsoft Security Blog
MITRE
a year ago
FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor - Microsoft Security Blog