LTS Secure Warning: NEW SDBbot RAT Being Distributed Via GET2 Downloader
Researchers have observed cybercrime group ‘TA505’, using a new RAT dubbed SDBbot, being delivered via GET2 downloader in recent attacks. The G2 downloader has been previously used in various campaigns to deliver secondary payloads, including Snatch ransomware, FlawedGrace & Flawed Ammyy Rats. SDBbot is written in C++ and makes use of application shimming in order to maintain persistence.
- The group has developed the new Get2 loader to work in conjunction with Excel macro.
- Get2 is being embedded into the excel file as an image.
- Further, a loader DLL is being utilized to execute the SDBbot payload on the victim machine.
- Researchers have also observed ‘TA505’ distributing malspam emails with URL shortener links to redirect victims to landing page, that turn links to an Microsoft excel file.
- Take screenshots of desktop.
- Records videos & takes pictures from webcam.
- Disk & system information enumeration along with directory listing.
- Can find, read, write, delete, and copy files.
- Spawn command-line shells.
- Implement Principle of least privilege.
- Always update your anti-virus software with the latest releases.
- Periodically run “full system scan” on your endpoints.
- Make proper security configuration for Firewall/IDS/IPS/Endpoint Protection systems so that no holes are left barred.
- Isolate all of the compromised computers ASAP to prevent threats from spreading further inside your infrastructure.