A new variant of the RomCom malware family [1] [2] [4], known as SnipBot [1] [5], has recently emerged with unique code obfuscation methods, different from previous versions like RomCom 3.0 and PEAPOD (RomCom 4.0) [4].

Description

In early April [4], an unusual DLL module was discovered by Advanced WildFire [4], identified as part of the SnipBot tool set [4]. This multistage attack targets Ukraine and its supporters [3], focusing on espionage activities rather than ransomware [3]. SnipBot uses valid code-signing certificates for the initial downloader, likely obtained through theft or fraud [2], while subsequent modules are unsigned [2]. The malware is distributed through phishing emails containing executable files disguised as PDFs [3], with the ability to download additional malicious modules onto victims’ systems [3]. The attacker’s behavior suggests an attempt to pivot through the victim’s network and exfiltrate files [2]. Collaboration with Sophos has provided insight into the malware’s capabilities and the attackers’ activity on a victim’s system [2]. Palo Alto Networks offers protection against SnipBot through products like Cortex and Advanced WildFire [2], which classify the malware samples as malicious [2]. SnipBot demonstrates novel obfuscation methods and post-exploitation activities [3], highlighting the need for organizations to enhance their security measures [3]. The threat actor behind RomCom has been active since at least 2022 [3], engaging in various malicious activities [3], including cyber espionage against Ukraine and its supporters [3]. The Computer Emergency Response Team of Ukraine (CERT-UA) has issued warnings about the group’s activities and advises organizations to remain vigilant against potential attacks [3]. Analysis of post-infection activity reveals attempts to gather network information [1], exfiltrate files [1] [2], and explore Active Directory [1]. The malware authors appear experienced but not elite [1], with some minor code flaws present [1]. Samples of SnipBot date back to December 2023 [1], indicating its evolution from earlier RomCom versions [1]. Researchers at Palo Alto’s Unit 42 have discovered this variant, which utilizes valid code-signing certificates to avoid detection and carries out multistage attacks by executing commands and downloading additional malicious files onto victims’ systems [5]. SnipBot has been spreading since December and poses a threat to organizations and individuals [5].

Conclusion

The emergence of SnipBot underscores the importance of robust cybersecurity measures to protect against evolving malware threats. Organizations must remain vigilant and implement proactive security measures to mitigate the risks posed by sophisticated malware like SnipBot. Collaboration between cybersecurity experts and organizations is crucial in identifying and addressing emerging threats, such as the RomCom malware family [1] [2] [4]. As SnipBot continues to evolve and spread, it is imperative for organizations to stay informed and take proactive steps to safeguard their systems and data from potential cyber attacks.

References

[1] https://blog.netmanageit.com/inside-snipbot-the-latest-romcom-malware-variant/
[2] https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/
[3] https://www.darkreading.com/threat-intelligence/romcom-malware-resurfaces-snipbot-variant
[4] https://webboard-nsoc.ncsa.or.th/topic/1302/cyber-threat-intelligence-24-september-2024
[5] https://blog.cadre.net/it-security-newsletter/9-24-2024