Inside SnipBot: The Latest RomCom Malware Variant
Essential information
- Published
- 24/09/2024 12:39
- Modified
- 24/09/2024 13:09
- Tags
- 2024-09-24 romcom snipbot
- Related entities
- 38 observables, 1 intrusion sets (apt), 21 techniques (mitre), 2 malware, 4 others
Description
A novel version of the RomCom malware family called SnipBot has been discovered, revealing post-infection activity from attackers on victim systems. This new strain employs new tricks and unique code obfuscation methods beyond those seen in previous RomCom versions. The infection chain begins with a downloader disguised as a PDF, followed by multiple stages including DLLs injected into explorer.exe. SnipBot provides backdoor capabilities allowing command execution, file exfiltration, and additional payload downloads. Analysis of attacker post-infection activity shows attempts to gather network information, exfiltrate files, and explore Active Directory. The malware authors appear experienced but not elite, with some minor code flaws present. SnipBot has evolved from earlier RomCom versions, with samples dating back to December 2023.