RomCom Malware Variant SnipBot Targets IT and Legal Sectors
Threat Group: RomCom
Threat Type: Remote Access Trojan (RAT)
Exploited Vulnerabilities: Social engineering (phishing emails) and PDF exploits
Malware Used: SnipBot (RomCom 5.0 variant)
Threat Score: High (8.8/10) – due to its advanced command execution capabilities, obfuscation techniques, and wide target range across industries
Last Threat Observation: September 26, 2024 (Unit 42, Palo Alto Networks)
Overview
SnipBot, a variant of the RomCom malware, has emerged as a highly sophisticated malware used to target multiple sectors, including IT, legal, and agriculture. Discovered in September 2024, it operates primarily as a Remote Access Trojan (RAT) that exfiltrates sensitive data, executes remote commands, and maintains persistence within compromised systems. Its delivery vectors include phishing emails and fake Adobe download sites.
Key Details
- Delivery Method: Phishing emails with malicious PDF links, fake software download pages.
- Target: IT services, legal firms, agricultural businesses.
- Functions:
- Remote command execution.
- Data exfiltration using 7-Zip/WinRAR.
- Advanced obfuscation techniques and anti-sandboxing methods.
- Persistence through registry entries and COM hijacking.
Attack Vectors
SnipBot is delivered primarily via phishing emails, often mimicking legitimate PDFs or downloads from fake websites such as Adobe. Once installed, it can move laterally through networks and gather sensitive files, particularly those stored in OneDrive or similar directories.
Indicators of Compromise (IoCs)
Files (SHA256 - file type):
- 0be3116a3edc063283f3693591c388eec67801cdd140a90c4270679e01677501
- 1cb4ff70f69c988196052eaacf438b1d453bbfb08392e1db3df97c82ed35c154
- 2c327087b063e89c376fd84d48af7b855e686936765876da2433485d496cb3a4
- 5390ba094cf556f9d7bbb00f90c9ca9e04044847c3293d6e468cb0aaeb688129
- 57e59b156a3ff2a3333075baef684f49c63069d296b3b036ced9ed781fd42312
- 5b30a5b71ef795e07c91b7a43b3c1113894a82ddffc212a2fa71eebc078f5118
- 5c71601717bed14da74980ad554ad35d751691b2510653223c699e1f006195b8
- 60d96087c35dadca805b9f0ad1e53b414bcd3341d25d36e0190f1b2bbfd66315
- 92c8b63b2dd31cf3ac6512f0da60dabd0ce179023ab68b8838e7dc16ef7e363d
- a2f2e88a5e2a3d81f4b130a2f93fb60b3de34550a7332895a084099d99a3d436
- b9677c50b20a1ed951962edcb593cce5f1ed9c742bc7bff827a6fc420202b045
- cfb1e3cc05d575b86db6c85267a52d8f1e6785b106797319a72dd6d19b4dc317
- e5812860a92edca97a2a04a3151d1247c066ed29ae6bbcf327d713fbad7e79e8
- f74ebf0506dc3aebc9ba6ca1e7460d9d84543d7dadb5e9912b86b843e8a5b671
Domains/URLs:
- fastshare[.]click
- docstorage[.]link
- publicshare[.]link
- xeontime[.]com
- drvmcprotect[.]com
- mcprotect[.]cloud
- cethernet[.]com
- sitepanel[.]top
- ilogicflow[.]com
- webtimeapi[.]com
- dns-msn[.]com
- certifysop[.]com
- drv2ms[.]com
- olminx[.]com
- linedrv[.]com
- adobe.cloudcreative[.]digital
- 1drv.fileshare[.]direct
IP Address:
- 91.92.250[.]104
Directory Paths:
- %LOCALAPPDATA%\KeyStore
- %LOCALAPPDATA%\DataCache
- %LOCALAPPDATA%\AppTemp
Registry Keys:
- HKCU\SOFTWARE\AppDataSoft
- HKCU\SOFTWARE\AppDataHigh
Mitigation and Prevention
- User Awareness: Train employees to recognize phishing attempts and avoid downloading files from unknown sources.
- Email Filtering: Implement email filtering to block malicious attachments and links.
- Antivirus Protection: Use real-time scanning and behavioral detection features to catch potential threats.
- Two-Factor Authentication (2FA): Enable 2FA for critical systems to prevent unauthorized access.
- Monitor Logs: Continuously monitor for abnormal registry modifications or network traffic to known malicious domains.
- Regular Updates: Ensure all systems and software are updated to prevent exploitation of known vulnerabilities.
Conclusion
SnipBot continues the evolution of RomCom malware by introducing new methods of persistence and obfuscation, making detection difficult. Its ability to steal data and operate across multiple sectors makes it a critical threat. Organizations should implement a combination of user training, technical controls, and regular monitoring to reduce the risk of compromise.
Podcast Discussion
Sources:
- BleepingComputer - New RomCom malware variant 'SnipBot' spotted in data theft attacks
- Unit 42 - Inside SnipBot: The Latest RomCom Malware Variant