Threat Research

Exploring SnipBot: The Newest RomCom Malware Variant

Unit42

SnipBot is a novel RomCom variant that uses advanced evasion, multi-stage payloads, and C2 communications to enable command execution and data exfiltration. It enters via malicious PDFs and emails, uses COM hijacking for persistence in Explorer, and employs anti-sandbox and code obfuscation to evade detection. #SnipBot #RomCom #COMHijacking #AntiSandbox #PDFDownloader

Keypoints

  • Discovery of SnipBot: A new RomCom variant identified with unique obfuscation techniques.
  • Infection Chain: Initial infection via a malicious PDF leading to an executable downloader.
  • Post-Infection Activity: Attackers executed commands to gather information and attempted file exfiltration.
  • Malware Capabilities: SnipBot can execute commands, download additional payloads, and communicate with C2 servers.
  • Advanced Evasion Techniques: Code obfuscation and anti-sandbox measures to avoid detection.
  • Potential Motivations: The actors may be shifting from financial gain to espionage across sectors.
  • Protection Measures: Palo Alto Networks Cortex and Advanced WildFire help protect against SnipBot.

MITRE Techniques

  • [T1203] Exploitation for Client Execution – Exploitation of a vulnerability in a PDF file to execute the downloader. Quote: “Exploitation of a vulnerability in a PDF file to execute the downloader.”
  • [T1547] COM Hijacking – Use of COM hijacking to maintain persistence through the Explorer process. Quote: “Use of COM hijacking to maintain persistence through the Explorer process.”
  • [T1068] Privilege Escalation – Potential elevation of privileges through execution of malicious payloads. Quote: “Potential elevation of privileges through execution of malicious payloads.”
  • [T1027] Obfuscated/Compressed Files and Information – Code obfuscation techniques to evade detection. Quote: “Code obfuscation techniques to evade detection.”
  • [T1003] Credential Access – Potential gathering of credentials through command execution. Quote: “Potential gathering of credentials through command execution.”
  • [T1083] File and Directory Discovery – Gathering information about the file and directory structure of the victim’s system. Quote: “Gathering information about the file and directory structure of the victim’s system.”
  • [T1041] Exfiltration – Exfiltration of files from the victim’s system to the attacker’s server. Quote: “Exfiltration of files from the victim’s system to the attacker’s server.”
  • [T1021] Lateral Movement – Pivot through the victim’s network to reach other systems and exfiltrate data. Quote: “pivot through the victim’s network”

Indicators of Compromise

  • [File Hash] SnipBot-related binaries – 0be3116a3edc063283f3693591c388eec67801cdd140a90c4270679e01677501, 57e59b156a3ff2a3333075baef684f49c63069d296b3b036ced9ed781fd42312
  • [Mutex] SnipMutex – mutex created by the malware family
  • [Domain] Command-and-control domains – fastshare.click, docstorage.link, publicshare.link
  • [IP Address] C2/staging IPs – 52.72.49.79, 91.92.250.240
  • [Registry Key] Registry-based persistence points – HKCUSoftwareAppDataSoft, HKCUSoftwareAppDataHigh
  • [File Name] Downloader and payload names – Attachment_Medical report.exe, single.dll, keyprov.dll
  • [Code Signer] Possible spoofed signers – COSMART LLC, KHAROS LLC
  • [Domain] Additional domains referenced in C2 chains – xeontime.com, drvmcprotect.com

Read more: https://unit42.paloal tonetworks.com/snipbot-romcom-malware-variant/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint