Back

Inside SnipBot: The Latest RomCom Malware Variant

Sept. 24, 2024, 1:09 p.m.

Tags

romcom
2024-09-24
snipbot

External References

https://unit42.paloaltonetworks.com/

https://otx.alienvault.com/

Description

A novel version of the RomCom malware family called SnipBot has been discovered, revealing post-infection activity from attackers on victim systems. This new strain employs new tricks and unique code obfuscation methods beyond those seen in previous RomCom versions. The infection chain begins with a downloader disguised as a PDF, followed by multiple stages including DLLs injected into explorer.exe. SnipBot provides backdoor capabilities allowing command execution, file exfiltration, and additional payload downloads. Analysis of attacker post-infection activity shows attempts to gather network information, exfiltrate files, and explore Active Directory. The malware authors appear experienced but not elite, with some minor code flaws present. SnipBot has evolved from earlier RomCom versions, with samples dating back to December 2023.

Date

Published Created Modified
Sept. 24, 2024, 12:39 p.m. Sept. 24, 2024, 12:39 p.m. Sept. 24, 2024, 1:09 p.m.

Indicators

adobe.cloudcreative.digital

cloudcreative.digital

f74ebf0506dc3aebc9ba6ca1e7460d9d84543d7dadb5e9912b86b843e8a5b671

e5812860a92edca97a2a04a3151d1247c066ed29ae6bbcf327d713fbad7e79e8

cfb1e3cc05d575b86db6c85267a52d8f1e6785b106797319a72dd6d19b4dc317

a2f2e88a5e2a3d81f4b130a2f93fb60b3de34550a7332895a084099d99a3d436

b9677c50b20a1ed951962edcb593cce5f1ed9c742bc7bff827a6fc420202b045

92c8b63b2dd31cf3ac6512f0da60dabd0ce179023ab68b8838e7dc16ef7e363d

5c71601717bed14da74980ad554ad35d751691b2510653223c699e1f006195b8

60d96087c35dadca805b9f0ad1e53b414bcd3341d25d36e0190f1b2bbfd66315

5b30a5b71ef795e07c91b7a43b3c1113894a82ddffc212a2fa71eebc078f5118

5390ba094cf556f9d7bbb00f90c9ca9e04044847c3293d6e468cb0aaeb688129

57e59b156a3ff2a3333075baef684f49c63069d296b3b036ced9ed781fd42312

2c327087b063e89c376fd84d48af7b855e686936765876da2433485d496cb3a4

1cb4ff70f69c988196052eaacf438b1d453bbfb08392e1db3df97c82ed35c154

0be3116a3edc063283f3693591c388eec67801cdd140a90c4270679e01677501

91.92.254.54

91.92.250.106

91.92.250.240

91.92.254.234

91.92.250.104

79.141.170.34

91.92.242.87

38.180.5.251

23.137.249.14

23.137.248.220

212.46.38.222

185.225.74.94

23.184.48.90

23.137.249.182

Attack Patterns

SnipBot

RomCom

RomCom

T1021.002

T1021.001

T1074

T1059.003

T1547.001

T1012

T1497

T1113

T1574.001

T1005

T1016

T1518

T1082

T1057

T1083

T1055

T1140

T1033

T1027

T1112

T1078

Additional Informations

IT Services

Agriculture

Legal

Ukraine