Image courtesy of Palo Alto

2024-09-23 Palo Alto Unit42: Inside SnipBot: The Latest RomCom Malware Variant

This latest version integrates novel obfuscation techniques and exhibits distinct post-infection activities not seen in previous variants (RomCom 3.0 and PEAPOD/RomCom 4.0).

Key Points:

• Capabilities: SnipBot allows attackers to execute commands and download additional modules onto the victim's system. It deploys an initial signed executable downloader, followed by unsigned EXEs or DLLs.
• Infection Vector: Delivered via email containing links that redirect to the SnipBot downloader. The downloader uses anti-sandbox tricks, including checking the file’s original name and verifying at least 100 entries in the RecentDocs registry key. It also employs window message-based control flow obfuscation.
• Post-Infection Activity:
  • Downloads additional DLL payloads, injecting them into explorer.exe using COM hijacking. Specifically, it registers the malicious DLL (keyprov.dll) as a thumbnail cache library in the registry (HKCU\SOFTWARE\Classes\CLSID).
  • The primary payload, single.dll, listens on port 1342 for commands such as deleting registry keys, executing stored DLL payloads, and initiating further updates.
  • Creates and manages registry keys (HKCU\SOFTWARE\AppDataSoft\Software) to store encrypted payloads and keep track of updates.
• Command & Control: Contacts its C2 domains (e.g., xeontime[.]com) to download payloads. Encrypts strings, including the C2 domain and API function names, to evade detection.