How to Remove the Saint Bot Malware

The Saint Bot Malware is a small piece of malware, which was first spotted in an email spam campaign, which piggybacked on the popularity of the COVID-19 statistics. This campaign took place near the end of 2020, and it distributed a malicious document, which abused a macro script to deploy and run the Saint Bot Malware. The recent campaign, however, appears to be more widely spread, and this time it covers a different topic. This time, the criminals behind the Saint Bot Malware have opted to tell recipients that they have been granted access to a Bitcoin wallet. According to the fraudulent email, the user needs to download and unzip an archive in order to gain access to the Bitcoin stored in the wallet. However, the archive contains an obfuscated PowerShell script, which will command Windows to download an executable file from a remote location and launch it. The result of this action is creating a malicious 'WindowsUpdate.exe' file stored in the %TEMP% folder.

But what does the Saint Bot Malware once it is installed? This threat serves the purpose of deploying additional malware to the compromised system. It is likely to be used as a first-stage payload, which can stay dormant and wait for more instructions to come from the command-and-control server. Depending on Saint Bot Malware's configuration, it may disguise its malicious process under different names – it seems to commonly use the bogus process 'EhStorAurhn.exe.'

The list of commands that the Saint Bot Malware supports is very small, but it is enough to provide its operators with the ability to install other dangerous threats. They can command all active instances of Saint Bot Malware to download and execute a file from a pre-defined URL, as well as to update the payload or to uninstall the downloader.

While Saint Bot Malware is not the most sophisticated project, cybersecurity experts mention that it has the ability to avoid certain types of targets. First of all, it will check the default language configuration of the infected system. If it belongs to Russia, Ukraine, Belarus, Armenia, Kazakhstan, Romania, or Moldova, it will not proceed with the attack. Just like other Trojan Downloaders, it also checks the registry entries and system drivers for any strings typical for virtual environments. This way, threats like the Saint Bot Malware try to avoid controlled environments used for malware analysis.

Regardless of how sophisticated the Saint Bot Malware might be, you can rest assure that stopping it is not difficult. All you need to do is to use a reputable anti-malware software suite at all times.

April 12, 2021

Leave a Reply