Home Malware Programs Malware Sibot Malware

Sibot Malware

Posted: March 5, 2021

The Sibot Malware is a threatening implant believed to be used as a first-stage payload by the criminals associated with the supply-chain attack against SolarWinds. The attack was discovered in December 2020, but further research showed that the criminals might have been able to penetrate SolarWinds' security sooner. The Sibot Malware, however, was not used in this campaign. Instead, the Nobelium APT hackers had employed it in previous attack campaigns, against US-based entities active in the government and technology sectors primarily.

The Sibot Malware is a relatively simple VBScript, which tries to hide its presence and intentions by mimicking the names of legitimate Windows services and features. Of course, this would only make it more difficult to detect by end-users – automated malware removal tools will sniff out Sibot Malware's threatening behavior easily, and terminate it before it causes any trouble.

If the Sibot Malware is deployed successfully, it will connect to a remote control server, and try to fetch additional payloads to install and run. It is believed that the Nobelium APT hackers relied on the Sibot Malware to deliver secondary payloads like the GoldMax Malware or the GoldFinder Malware.

Multi-stage attacks are not unusual for Advanced Persistent Threat (APT) groups like Nobelium. Companies can protect their networks by strengthening security protocols, as well as relying on reputable firewall and anti-virus services.