A novel version of the RomCom malware family called SnipBot has been discovered, revealing post-infection activity from attackers on victim systems. This new strain employs new tricks and unique code obfuscation methods beyond those seen in previous RomCom versions. The infection chain begins with a downloader disguised as a PDF, followed by multiple stages including DLLs injected into explorer.exe. SnipBot provides backdoor capabilities allowing command execution, file exfiltration, and additional payload downloads. Analysis of attacker post-infection activity shows attempts to gather network information, exfiltrate files, and explore Active Directory. The malware authors appear experienced but not elite, with some minor code flaws present. SnipBot has evolved from earlier RomCom versions, with samples dating back to December 2023. Author: AlienVault
Related Tags:
SnipBot
IT Services
T1021.002
Legal
T1547.001
Agriculture
T1021.001
T1059.003
T1518
Associated Indicators:
B9677C50B20A1ED951962EDCB593CCE5F1ED9C742BC7BFF827A6FC420202B045
92C8B63B2DD31CF3AC6512F0DA60DABD0CE179023AB68B8838E7DC16EF7E363D
60D96087C35DADCA805B9F0AD1E53B414BCD3341D25D36E0190F1B2BBFD66315
0BE3116A3EDC063283F3693591C388EEC67801CDD140A90C4270679E01677501
5C71601717BED14DA74980AD554AD35D751691B2510653223C699E1F006195B8
E5812860A92EDCA97A2A04A3151D1247C066ED29AE6BBCF327D713FBAD7E79E8
1CB4FF70F69C988196052EAACF438B1D453BBFB08392E1DB3DF97C82ED35C154
5B30A5B71EF795E07C91B7A43B3C1113894A82DDFFC212A2FA71EEBC078F5118
CFB1E3CC05D575B86DB6C85267A52D8F1E6785B106797319A72DD6D19B4DC317