LTS Secure Warning: NEW SDBbot RAT Being Distributed Via GET2 Downloader

Researchers have observed cybercrime group ‘TA505’, using a new RAT dubbed SDBbot, being delivered via GET2 downloader in recent attacks. The G2 downloader has been previously used in various campaigns to deliver secondary payloads, including Snatch ransomware, FlawedGrace & Flawed Ammyy Rats. SDBbot is written in C++ and makes use of application shimming in order to maintain persistence.   Technical Details
  • The group has developed the new Get2 loader to work in conjunction with Excel macro.
  • Get2 is being embedded into the excel file as an image.
  • Further, a loader DLL is being utilized to execute the SDBbot payload on the victim machine.
  • Researchers have also observed ‘TA505’ distributing malspam emails with URL shortener links to redirect victims to landing page, that turn links to an Microsoft excel file.
  Impact
  • Take screenshots of desktop.
  • Records videos & takes pictures from webcam.
  • Disk & system information enumeration along with directory listing.
  • Can find, read, write, delete, and copy files.
  • Spawn command-line shells.
  Recommended Actions
  • Implement Principle of least privilege.
  • Always update your anti-virus software with the latest releases.
  • Periodically run “full system scan” on your endpoints.
  • Make proper security configuration for Firewall/IDS/IPS/Endpoint Protection systems so that no holes are left barred.
  • Isolate all of the compromised computers ASAP to prevent threats from spreading further inside your infrastructure.