Currently viewing ATT&CK v8.2 which was live between October 27, 2020 and April 28, 2021. Learn more about the versioning system or see the live site.
SOFTWARE
Aria-body
SOFTWARE
1-9
A-B
C-D
E-F
G-H
I-J
K-L
M-N
O-P
Q-R
S-T
U-V
W-X
Y-Z
  1. Home
  2. Software
  3. SDBot

SDBot

SDBot is a backdoor with installer and loader components that has been used by TA505 since at least 2019.[1][2]

ID: S0461
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 01 June 2020
Last Modified: 17 June 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

SDBot has the ability to add a value to the Registry Run key to establish persistence if it detects it is running with regular user privilege. [1][2]
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

SDBot has the ability to use the command shell to execute commands on a compromised host.[1]
Enterprise T1005 Data from Local System

SDBot has the ability to access the file system on a compromised host.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

SDBot has the ability to decrypt and decompress its payload to enable code execution.[1][2]
Enterprise T1546 .012 Event Triggered Execution: Image File Execution Options Injection

SDBot has the ability to use image file execution options for persistence if it detects it is running with admin privileges on a Windows version newer than Windows 7.[1]
.011 Event Triggered Execution: Application Shimming

SDBot has the ability to use application shimming for persistence if it detects it is running as admin on Windows XP or 7, by creating a shim database to patch services.exe.[1]
Enterprise T1083 File and Directory Discovery

SDBot has the ability to get directory listings or drive information on a compromised host.[1]
Enterprise T1070 Indicator Removal on Host

SDBot has the ability to clean up and remove data structures from a compromised host.[1]
.004 File Deletion

SDBot has the ability to delete files from a compromised host.[1]
Enterprise T1105 Ingress Tool Transfer

SDBot has the ability to download a DLL from C2 to a compromised host.[1]
Enterprise T1095 Non-Application Layer Protocol

SDBot has the ability to communicate with C2 with TCP over port 443.[1]
Enterprise T1027 Obfuscated Files or Information

SDBot has the ability to XOR the strings for its installer component with a hardcoded 128 byte key.[1]
.002 Software Packing

SDBot has used a packed installer file.[2]
Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

SDBot has the ability to inject a downloaded DLL into a newly created rundll32.exe process.[1]
Enterprise T1090 Proxy

SDBot has the ability to use port forwarding to establish a proxy between a target host and C2.[1]
Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

SDBot has the ability to use RDP to connect to victim's machines.[1]
Enterprise T1082 System Information Discovery

SDBot has the ability to identify the OS version, country code, and computer name.[1]
Enterprise T1016 System Network Configuration Discovery

SDBot has the ability to determine the domain name and whether a proxy is configured on a compromised host.[1]
Enterprise T1033 System Owner/User Discovery

SDBot has the ability to identify the user on a compromised host.[1]
Enterprise T1125 Video Capture

SDBot has the ability to record video on a compromised host.[1][2]

Groups That Use This Software

ID Name References
G0092 TA505

[1][2]

References

  1. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
  1. Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020.