⚠️ Overview

SDBbot is a remote access trojan (RAT) first documented in 2018 by Proofpoint and associated with the TA505 cybercriminal group, which is also linked to the Dridex banking trojan and the LockBit ransomware. This modular malware is primarily used for persistent backdoor access and data exfiltration, often deployed as a secondary payload after initial compromise via phishing campaigns or other droppers like Get2 and FlawedAmmy.

🔧 Technical Capabilities

SDBbot communicates with its command-and-control (C2) infrastructure over HTTPS, using encrypted TLS sessions to conceal traffic. It establishes persistence by creating a scheduled task or adding a registry Run key, and it employs process injection into legitimate Windows processes such as svchost.exe or explorer.exe to evade detection. The trojan can execute arbitrary shell commands, download and upload files, and perform keylogging. It uses a custom protocol with base64‑encoded C2 commands and supports a fallback DNS‑based resolution mechanism. Evasion techniques include checking for sandbox environments by analyzing disk size, CPU count, and running processes, and it will remain dormant if analysis tools are present. The malware also uses a mutex named GlobalSDB_MUTEX to ensure single instance execution.

📜 History & Notable Incidents

SDBbot first appeared in late 2018 in campaigns targeting financial institutions and retail organizations across North America and Europe. In 2019, TA505 used SDBbot as a post‑exploitation tool after initial compromise via the FlawedAmmy RAT or Get2 loader, leading to ransomware deployment (LockBit, Clop). A notable campaign in 2020 targeted healthcare and pharmaceutical companies during the COVID‑19 pandemic, as reported by CISA (AA20-302A). No new CVEs have been directly attributed to SDBbot, though it frequently exploits vulnerabilities in Microsoft Office (e.g., CVE-2017-0199) and Adobe Reader.

🔍 Detection Indicators

Known file hashes include SHA256 0x6c9a1b2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0 (example; actual hashes vary per campaign). Network indicators include HTTPS POST requests to C2 domains using User‑Agent strings such as Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 and destination ports 443. Registry persistence is created under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with a value named SDBSvc. The mutex GlobalSDB_MUTEX is a useful endpoint detection artifact.

☠️ Risk & Impact

SDBbot poses a high risk to targeted organizations by enabling data exfiltration, credential theft, and lateral movement that often culminates in ransomware deployment. Sectors most affected include finance, healthcare, and retail, with financial losses exceeding millions of dollars per incident. In 2021, TA505-linked SDBbot infections in healthcare led to patient data breaches and operational disruptions, as documented by the FBI’s Cyber Division alert.

🛡️ Mitigation

Defenders should implement endpoint detection and response (EDR) rules to monitor for the SDB_MUTEX mutex and anomalous HTTPS traffic to unknown domains, apply phishing awareness training, and enforce least‑privilege access. CISA advisory AA20-302A recommends blocking known C2 indicators and using YARA rules based on SDBbot’s custom string patterns. Regular patching of Microsoft Office and Adobe Reader vulnerabilities is critical to prevent initial infection.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.