SDBot Remote Access Trojan
SDBot is a C++ based remote access trojan (RAT) created by the TA505 advanced persistent threat group for use in their campaigns.
As SDBot is a second stage payload, it is reliant on TA505’s other tools for its delivery. At the time of publication, only the Get2 loader has been observed distributing SDBot, although it is likely other tools such as ServHelper and AndroMut may be used in future campaigns.
Once installed, SDBot uses application shimming (ATT&CK T1138) to escalate its privileges before disabling security services. It will then connect to a command and control sever over TCP port 443 to await further commands. By default, SDBot has the following capabilities:
- launch a command shell
- create remote desktop sessions
- extract files
- download and install further payloads
Over the last two years, Proofpoint researchers have observed TA505 and a number of other actors focus on downloaders, RATs, information stealers, and banking Trojans.
Indicators of Compromise
IP Addresses
- 103.75.118[.]231
- 170.75.175[.]209
- 195.123.242[.]250
URLs
- drm-server13-login-microsoftonline[.]com
- news-server-drm-google[.]com
- static-google-analtyic[.]com
SHA256 File Hashes
- 6b3aa7a7a9771f7464263993b974c7ba233ec9bd445ea635e14a0764523cbef
- 8916a09f205910759edb082175bf2808d2acae00c7ded5bb8c9c174f60ebe152
- 99c76d377e1e37f04f749034f2c2a6f33cb785adee76ac44edb4156b5cbbaa9a
- 9eaad594dd8038fc8d608e0c4826244069a7a016ffd8881d8f42f643c972630f
- c2f99a2bba225fe3ab49cb952e418b2ab29ba7f2e34db6cf9bc51b0349d0acd8
- edb838be33fde5878010ca84fc7765c8ff964af9e8387393f3fa7860c95fc70b
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.