{"id":5441,"date":"2024-09-24T04:15:59","date_gmt":"2024-09-24T09:15:59","guid":{"rendered":"https:\/\/www.darkreading.com\/threat-intelligence\/romcom-malware-resurfaces-snipbot-variant"},"modified":"2024-09-24T04:15:59","modified_gmt":"2024-09-24T09:15:59","slug":"romcom-malware-resurfaces-with-snipbot-variant","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/09\/24\/romcom-malware-resurfaces-with-snipbot-variant\/","title":{"rendered":"RomCom Malware Resurfaces With SnipBot Variant"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

The RomCom cyberespionage malware that <\/span>rampaged<\/a><\/span> through the Ukraine military and its supporters last year has resurfaced with a new variant. It leverages valid code-signing certificates to fly under the radar, allowing attackers to execute commands and download additional malicious files onto a victim’s system in a multi-stage attack.<\/span><\/p>\n

The variant, called SnipBot by researchers at Palo Alto’s Unit 42, appears to have been spreading since December, picking up where the last version of RomCom left off, they revealed <\/span>in analysis<\/a><\/span> published this week. The malware is based on RomCom 3.0., but also shares techniques already seen in <\/span>RomCom 4.0<\/a><\/span>, making it version 5.0 of the original <\/span>RomCom remote access Trojan (RAT) family<\/a><\/span>.<\/span><\/p>\n

Earlier attacks of the actor behind RomCom \u2014 which also targeted <\/span>supporters of Ukraine<\/a><\/span> \u2014 often included ransomware payloads in addition to cyberespionage activities. However, Unit 42 now believes that the attackers behind the malware have pivoted away from financial gain to exclusively focusing on intelligence-gathering, according to the post.<\/span><\/p>\n

Even so, “the attacker’s intentions are difficult to discern given the variety of targeted victims, which include organizations in sectors such as IT services, legal, and agriculture,” Unit 42’s Yaron Samuel and Dominik Reichel wrote in the analysis.<\/span><\/p>\n

Related:<\/span>Dark Reading News Desk Live From Black Hat USA 2024<\/a><\/p>\n

Email Kicks Off Initial RomCom Attack<\/h2>\n

SnipBot first appears in either an executable downloadable file masquerading as a PDF, or as an actual PDF file sent to a victim in a phishing email that leads to an executable. The malware includes “a basic set of features that allows the attacker to run commands on a victim’s system and download additional modules,” the researchers wrote.<\/span><\/p>\n

The PDF file shows distorted text that states a font is missing that\u2019s needed to show it correctly.<\/span><\/p>\n

“If the victim clicks on the contained link that\u2019s purported to download and install the font package, they will instead download the SnipBot downloader,” the researchers wrote.<\/span><\/p>\n

The malware itself is comprised of several stages, with the executable file followed by remaining payloads that are either further executables or DLL files. Moreover, the downloader for the malware is always signed with a legitimate and valid code-signing certificate, the researchers noted.<\/span><\/p>\n

“We don\u2019t know how the threat actors obtain these certificates, but it\u2019s likely they steal them or gain them by fraud,” they observed, adding that subsequent modules of the initial SnipBot malware were not signed.<\/span><\/p>\n

SnipBot’s Infection Vector<\/h2>\n

Related:<\/span>Meet UNC1860: Iran’s Low-Key Access Broker for State Hackers<\/a><\/p>\n

As mentioned, the downloader that delivers SnipBot is signed with a presumably stolen or spoofed certificate and also is obfuscated with a window message-based control-flow obfuscation algorithm; the malware’s code is split up into multiple unordered blocks that are triggered by custom window messages.<\/span><\/p>\n

The downloader also uses “two simple yet effective” anti-sandbox tricks, the researchers wrote. “The first one checks for the original file name by comparing the hashed process name against a hard-coded value,” while the second one checks whether there are at least 100 entries in a particular Microsoft Windows registry, “which is usually the case on a regular user\u2019s system but less likely to be the case in a sandbox system,” they wrote.<\/span><\/p>\n

Upon execution, the downloader contacts various command-and-control (C2) domains to retrieve a PDF file, and then subsequent payloads to the infected machine, the first of which provides spyware capability. Ultimately, the main module of SnipBot provides the attacker with command-line, uploading, and downloading capabilities on a victim\u2019s system, as well as the ability download and execute additional payloads from C2.<\/span><\/p>\n

Unit 42 also witnessed post-infection activity aiming to gather information about the company\u2019s internal network as well as attempts to exfiltrate a list of different files from the victim\u2019s documents, downloads, and OneDrive folders to an external, attacker-controlled server.<\/span><\/p>\n

Related:<\/span>Mastercard’s Bet on Recorded Future a Win for Cyber Threat Intel<\/a><\/p>\n

RomCom Remains an Active Threat<\/h2>\n

The threat actor wielding RomCom has been active since at least 2022, and engages in various nefarious activities, including ransomware, extortion, and targeted credential gathering, likely to support intelligence-gathering operations. As mentioned, the threat actor seems to now be moving away from its previous financially motivated activities to engage exclusively in cyberespionage.<\/span><\/p>\n

As SnipBot demonstrates an evolution in threat capabilities with novel obfuscation methods as well as post-exploitation activity, Unit 42 stressed “the need for organizations to remain vigilant and adopt advanced security measures to protect their systems and data from evolving cyberthreats,” the researchers noted in their analysis.<\/span><\/p>\n

Given the RomCom threat actor’s interest in cyberespionage against <\/span>Ukraine and its supporters<\/a><\/span>, the Computer Emergency Response Team of Ukraine (CERT-UA) also has <\/span>published information<\/a><\/span> about the threat group and how it operates.<\/span><\/p>\n

“This group is actively attacking employees of defense enterprises and the Defense Forces of Ukraine, constantly updating its malware arsenal, but their malicious activities are not limited to Ukraine,” the agency warned.<\/span><\/p>\n

CERT-UA advised organizations that may be targeted to remain vigilant about emails from unknown senders, even if they present themselves as a government employee, and to refrain from downloading or opening suspicious files.<\/span><\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

The RomCom cyberespionage malware that rampaged through the Ukraine military<\/p>\n","protected":false},"author":12,"featured_media":5442,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-5441","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/romcom-malware-resurfaces-with-snipbot-variant.png?fit=1920%2C1079&ssl=1",1920,1079,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/romcom-malware-resurfaces-with-snipbot-variant.png?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/romcom-malware-resurfaces-with-snipbot-variant.png?fit=300%2C169&ssl=1",300,169,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/romcom-malware-resurfaces-with-snipbot-variant.png?fit=640%2C360&ssl=1",640,360,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/romcom-malware-resurfaces-with-snipbot-variant.png?fit=640%2C359&ssl=1",640,359,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/romcom-malware-resurfaces-with-snipbot-variant.png?fit=1536%2C863&ssl=1",1536,863,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/romcom-malware-resurfaces-with-snipbot-variant.png?fit=1920%2C1079&ssl=1",1920,1079,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/romcom-malware-resurfaces-with-snipbot-variant.png?fit=1024%2C575&ssl=1",1024,575,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/romcom-malware-resurfaces-with-snipbot-variant.png?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/romcom-malware-resurfaces-with-snipbot-variant.png?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/romcom-malware-resurfaces-with-snipbot-variant.png?fit=1920%2C1079&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/5441","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=5441"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/5441\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/5442"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=5441"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=5441"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=5441"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}