Image courtesy of Palo Alto 2024-09-23 Palo Alto Unit42: Inside SnipBot: The Latest RomCom Malware Variant
This latest version integrates novel obfuscation techniques and exhibits distinct post-infection activities not seen in previous variants (RomCom 3.0 and PEAPOD/RomCom 4.0).
Key Points:
Capabilities: SnipBot allows attackers to execute commands and download additional modules onto the victim’s system. It deploys an initial signed executable downloader, followed by unsigned EXEs or DLLs.Infection Vector: Delivered via email containing links that redirect to the SnipBot downloader. The downloader uses anti-sandbox tricks, including checking the file’s original name and verifying at least 100 entries in the RecentDocs registry key. It also employs window message-based control flow obfuscation.Post-Infection Activity:Downloads additional DLL payloads, injecting them into explorer.exe using COM hijacking. Specifically, it registers the malicious DLL (keyprov.dll) as a thumbnail cache library in the registry (HKCUSOFTWAREClassesCLSID).The primary payload, single.dll, listens on port 1342 for commands such as deleting registry keys, executing stored DLL payloads, and initiating further updates.Creates and manages registry keys (HKCUSOFTWAREAppDataSoftSoftware) to store encrypted payloads and keep track of updates.Command & Control: Contacts its C2 domains (e.g., xeontime[.]com) to download payloads. Encrypts strings, including the C2 domain and API function names, to evade detection.
Article Link: contagio: 2024-09-23 SNIPBOT RomCom Multi-Stage RAT Samples
1 post – 1 participant
Image courtesy of Palo Alto 2024-09-23 Palo Alto Unit42: Inside SnipBot: The Latest RomCom Malware Variant This latest version integrates novel obfuscation techniques and exhibits distinct post-infection activities not seen in previous variants (RomCom 3.0 and PEAPOD/RomCom 4.0).Key Points:Capabilities: SnipBot allows attackers to execute commands and download additional modules onto the victim’s system. It deploys an initial signed executable downloader, followed by unsigned EXEs or DLLs.Infection Vector: Delivered via email containing links that redirect to the SnipBot downloader. The downloader uses anti-sandbox tricks, including checking the file’s original name and verifying at least 100 entries in the RecentDocs registry key. It also employs window message-based control flow obfuscation.Post-Infection Activity:Downloads additional DLL payloads, injecting them into explorer.exe using COM hijacking. Specifically, it registers the malicious DLL (keyprov.dll) as a thumbnail cache library in the registry (HKCUSOFTWAREClassesCLSID).The primary payload, single.dll, listens on port 1342 for commands such as deleting registry keys, executing stored DLL payloads, and initiating further updates.Creates and manages registry keys (HKCUSOFTWAREAppDataSoftSoftware) to store encrypted payloads and keep track of updates.Command & Control: Contacts its C2 domains (e.g., xeontime[.]com) to download payloads. Encrypts strings, including the C2 domain and API function names, to evade detection.Download Download. Email me if you need the password scheme.File Information├── 0be3116a3edc063283f3693591c388eec67801cdd140a90c4270679e01677501 atch scan052224 CV.exe ├── 2c327087b063e89c376fd84d48af7b855e686936765876da2433485d496cb3a4.exe ├── 5390ba094cf556f9d7bbb00f90c9ca9e04044847c3293d6e468cb0aaeb688129 Attachment CV June2024.exe ├── 57e59b156a3ff2a3333075baef684f49c63069d296b3b036ced9ed781fd42312 Attachment Medical report.exe ├── 5b30a5b71ef795e07c91b7a43b3c1113894a82ddffc212a2fa71eebc078f5118 CV for a job.exe ├── 5c71601717bed14da74980ad554ad35d751691b2510653223c699e1f006195b8 Atch Data Breach Evidence.pdf Open with Adobe Acrobat.exe ├── a2f2e88a5e2a3d81f4b130a2f93fb60b3de34550a7332895a084099d99a3d436 atch List of Available Documents.exe ├── b9677c50b20a1ed951962edcb593cce5f1ed9c742bc7bff827a6fc420202b045 webtime-e.exe ├── cfb1e3cc05d575b86db6c85267a52d8f1e6785b106797319a72dd6d19b4dc317.exe └── f74ebf0506dc3aebc9ba6ca1e7460d9d84543d7dadb5e9912b86b843e8a5b671 резюме.pdf Malware Repo LinksOver the past 15 years, as the blog has been around, many hosting providers have dropped support due to stricter no-malware policies. This has led to broken links, especially in older posts. If you find a broken link on contagiodump.blogspot.com (or contagiominidump.blogspot.com), just note the file name from the URL and search for it in the Contagio Malware Storage.
Article Link: contagio: 2024-09-23 SNIPBOT RomCom Multi-Stage RAT Samples
1 post – 1 participant
Read full topic