Inside SnipBot: The Latest RomCom Malware Variant

Sept. 24, 2024, 1:09 p.m.

Description

A novel version of the RomCom malware family called SnipBot has been discovered, revealing post-infection activity from attackers on victim systems. This new strain employs new tricks and unique code obfuscation methods beyond those seen in previous RomCom versions. The infection chain begins with a downloader disguised as a PDF, followed by multiple stages including DLLs injected into explorer.exe. SnipBot provides backdoor capabilities allowing command execution, file exfiltration, and additional payload downloads. Analysis of attacker post-infection activity shows attempts to gather network information, exfiltrate files, and explore Active Directory. The malware authors appear experienced but not elite, with some minor code flaws present. SnipBot has evolved from earlier RomCom versions, with samples dating back to December 2023.

External References

https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/
https://otx.alienvault.com/pulse/66f2b2f5ea5aa05f215af2f5
Tags
romcom
2024-09-24
snipbot

Date

  • Created: Sept. 24, 2024, 12:39 p.m.
  • Published: Sept. 24, 2024, 12:39 p.m.
  • Modified: Sept. 24, 2024, 1:09 p.m.

Indicators

  • adobe.cloudcreative.digital
  • cloudcreative.digital
  • f74ebf0506dc3aebc9ba6ca1e7460d9d84543d7dadb5e9912b86b843e8a5b671
  • e5812860a92edca97a2a04a3151d1247c066ed29ae6bbcf327d713fbad7e79e8
  • cfb1e3cc05d575b86db6c85267a52d8f1e6785b106797319a72dd6d19b4dc317
  • a2f2e88a5e2a3d81f4b130a2f93fb60b3de34550a7332895a084099d99a3d436
  • b9677c50b20a1ed951962edcb593cce5f1ed9c742bc7bff827a6fc420202b045
  • 92c8b63b2dd31cf3ac6512f0da60dabd0ce179023ab68b8838e7dc16ef7e363d
  • 5c71601717bed14da74980ad554ad35d751691b2510653223c699e1f006195b8
  • 60d96087c35dadca805b9f0ad1e53b414bcd3341d25d36e0190f1b2bbfd66315
  • 5b30a5b71ef795e07c91b7a43b3c1113894a82ddffc212a2fa71eebc078f5118
  • 5390ba094cf556f9d7bbb00f90c9ca9e04044847c3293d6e468cb0aaeb688129
  • 57e59b156a3ff2a3333075baef684f49c63069d296b3b036ced9ed781fd42312
  • 2c327087b063e89c376fd84d48af7b855e686936765876da2433485d496cb3a4
  • 1cb4ff70f69c988196052eaacf438b1d453bbfb08392e1db3df97c82ed35c154
  • 0be3116a3edc063283f3693591c388eec67801cdd140a90c4270679e01677501
  • 91.92.254.54
  • 91.92.250.106
  • 91.92.250.240
  • 91.92.254.234
  • 91.92.250.104
  • 79.141.170.34
  • 91.92.242.87
  • 38.180.5.251
  • 23.137.249.14
  • 23.137.248.220
  • 212.46.38.222
  • 185.225.74.94
  • 23.184.48.90
  • 23.137.249.182
  • 1drv.fileshare.direct
  • sitepanel.top
  • mcprotect.cloud
  • publicshare.link
  • fastshare.click
  • ilogicflow.com
  • drvmcprotect.com
  • dns-msn.com
Download all indicators here!

Attack Patterns

  • SnipBot
  • RomCom
  • RomCom
  • T1021.002
  • T1021.001
  • T1074
  • T1059.003
  • T1547.001
  • T1012
  • T1497
  • T1113
  • T1574.001
  • T1005
  • T1016
  • T1518
  • T1082
  • T1057
  • T1083
  • T1055
  • T1140
  • T1033
  • T1027
  • T1112
  • T1078

Additional Informations

  • IT Services
  • Agriculture
  • Legal
  • Ukraine