A brand new variant of the RomCom malware referred to as SnipBot, has been utilized in assaults that pivot on the community to steal information from compromised methods.
Palo Alto Community’s Unit 42 researchers found the brand new model of the malware after analyzing a DLL module utilized in SnipBot assaults.
The most recent SnipBot campaigns seem to focus on a wide range of victims throughout varied sectors, together with IT providers, authorized, and agriculture, to steal information and pivot on the community.
RomCom growth
RomCom is a backdoor that was used to ship Cuba ransomware in a number of malvertising campaigns [1, 2], in addition to for focused phishing operations [1, 2].
Its earlier launch, dubbed RomCom 4.0 by Development Micro researchers in late 2023, was lighter and stealthier in comparison with previous variants however retained a sturdy set of instructions.
RomCom 4.0’s capabilities included command execution, stealing recordsdata, dropping new payloads, modifying Home windows registry, and utilizing the safer TLS protocol for command and management (C2) communications.
SnipBot, which Unit 42 considers to be RomCom 5.0, employs an prolonged set of 27 instructions.
These instructions give the operator extra granular management over information exfiltration operations, permitting to set particular file varieties or directories to be focused, compressing the stolen information utilizing the 7-Zip file archiving instrument, and in addition introducing archive payloads to be extracted on the host for evasion.
Moreover, SnipBot now employs window message-based management stream obfuscation, dividing its code into blocks triggered in sequence by customized window messages.
New anti-sandboxing methods embody hash checks on the executable and created course of and verifying the existence of at the least 100 entries within the “RecentDocs” and 50 sub-keys within the “Shell Baggage” registry keys.
It is also value mentioning that SnipBot’s essential module, “single.dll,” is saved in an encrypted kind within the Home windows Registry from the place it s loaded into reminiscence. Extra modules downloaded from the C2 server, like “keyprov.dll,” are additionally decrypted and executed in reminiscence.
Assault vectors
Unit 42 was in a position to retrieve assault artifacts from VirusTotal submissions, which allowed them to work their method again to the preliminary an infection vector for SnipBot.
Usually, that begins with phishing emails containing hyperlinks to obtain seemingly innocuous recordsdata, resembling PDF paperwork, crafted to lure the recipient into clicking the hyperlink.
The researchers additionally describes a barely older preliminary vector involving a faux Adobe web site from the place the sufferer is meant to obtain a lacking font to have the ability to learn the hooked up PDF file.
Doing so triggers a collection of redirects throughout a number of domains below the attacker’s management (“fastshare[.]click on,” “docstorage[.]hyperlink,” and “publicshare[.]hyperlink”), finally delivering a malicious executable downloader from file-sharing platforms like “temp[.]sh”.
The downloaders are sometimes signed utilizing authentic certificates in order to not set off warnings from the sufferer’s safety instruments when fetching executables of DLL recordsdata from the C2.
A typical tactic for loading these payloads is to make use of COM hijacking to inject them into “explorer.exe,” which additionally achieved persistence between system reboots.
After compromising a system, the menace actor collects details about the corporate community and the area controller. Subsequent, they steal particular file varieties from the Paperwork, Downloads, and OneDrive directories.
Unit 42 says {that a} second discovery section follows utilizing the AD Explorer utility that enables viewing and enhancing Energetic Listing (AD) in addition to navigating the AD database.
Focused information is exfiltrated utilizing the PuTTY Safe Copy consumer after archiving it with WinRAR.
The researchers say that the attacker’s objective stays unclear because of the set of victims focused in SnipBot and RomCom assaults, however suspect that the menace actor’s goal has moved from monetary achieve to espionage operations.