Thursday, December 5, 2024
HomeCyber Security NewsHackers Weaponizing PDF files To Deliver New SnipBot Malware

Hackers Weaponizing PDF files To Deliver New SnipBot Malware

Published on

SIEM as a Service

The RomCom malware family, particularly its SnipBot variant, has evolved into a sophisticated threat capable of ransomware, extortion, and targeted credential gathering.

It employs various attack methods, including PDF-based downloaders and executable payloads, to compromise victim systems. 

The threat actors behind RomCom have been active since at least 2022 and utilize stolen or fraudulently obtained code-signing certificates to enhance their malware’s legitimacy.

- Advertisement - SIEM as a Service

They employed a multi-stage email phishing campaign to deliver SnipBot malware by luring victims with malicious emails containing links that redirected to attacker-controlled domains, such as fastshare[.]click and docstorage[.]link, and then redirected to legitimate file-sharing services, like temp[.]sh, where the SnipBot downloader was hosted. 

Different URL chains from the email to the downloader 
Different URL chains from the email to the downloader 

Attackers used similar tactics in subsequent campaigns, creating new domains like publicshare[.]link to distribute different malware variants, demonstrating the attackers’ persistence and adaptability in targeting multiple victims.

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration

SnipBot is a new variant of the RomCom malware family that infects systems through a disguised executable file, using anti-sandbox tricks to avoid detection. It injects malicious code into legitimate processes. 

The malware communicates with its command and control server to receive commands and download additional payloads. These payloads can steal files, capture screenshots, establish network tunnels, and potentially perform other malicious activities. 

 SnipBot execution flows from the initial EXE downloader to the main bot file single.dll.
 SnipBot execution flows from the initial EXE downloader to the main bot file single.dll.

The researchers at Palo Alto Networks analyzed several newer versions of a downloader, finding that they were similar in function but differed in implementation.

All samples were hosted on temp[.]sh and connected to various C2 domains to download payloads. 

The newest version used dynamic API resolution and removed window message-based obfuscation, while older versions employed window-related API functions and registry-based anti-sandbox techniques, and the earliest version, submitted in December 2023, used a PDF lure to trick victims into downloading the downloader.

Fake Adobe website leading to the SnipBot downloader.
Fake Adobe website leading to the SnipBot downloader.

Attackers initially conducted reconnaissance on the victim’s network using command-line tools and then exfiltrated sensitive files, including personal health data, using WinRAR and PuTTY. 

They encountered challenges during the exfiltration process and attempted to resolve them by downloading additional payloads. They also created a snapshot of the local AD database, though it’s unclear whether this succeeded.

Ultimately, the attackers abandoned the victim’s system, likely due to limited access to company resources.

Code flaw by using the API function CreateDirectoryA() twice.
Code flaw by using the API function CreateDirectoryA() twice.

The malware analysis reveals a poorly coded C++ application that utilizes multiple long functions to implement its functionalities.

The code exhibits minor errors, suggesting the attacker’s familiarity with Windows development but lack professional expertise. 

For instance, the redundant use of the CreateDirectoryA API function indicates a likely copy-paste mistake.

It provides the C2 and staging domain information, including their last active IP addresses, which are crucial for identifying and disrupting the malware’s communication channels.

Analyse AnySuspicious Links Using ANY.RUN's New Safe Browsing Tool: Try It for Free

Latest articles

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...

HackSynth : Autonomous Pentesting Framework For Simulating Cyberattacks

HackSynth is an autonomous penetration testing agent that leverages Large Language Models (LLMs) to...

Fuji Electric Indonesia Hit by Ransomware Attack

Fuji Electric Indonesia has fallen victim to a ransomware attack, impacting its operations and...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...

HackSynth : Autonomous Pentesting Framework For Simulating Cyberattacks

HackSynth is an autonomous penetration testing agent that leverages Large Language Models (LLMs) to...