Cyber Security News

Hackers Weaponizing PDF files To Deliver New SnipBot Malware

The RomCom malware family, particularly its SnipBot variant, has evolved into a sophisticated threat capable of ransomware, extortion, and targeted credential gathering.

It employs various attack methods, including PDF-based downloaders and executable payloads, to compromise victim systems. 

The threat actors behind RomCom have been active since at least 2022 and utilize stolen or fraudulently obtained code-signing certificates to enhance their malware’s legitimacy.

They employed a multi-stage email phishing campaign to deliver SnipBot malware by luring victims with malicious emails containing links that redirected to attacker-controlled domains, such as fastshare[.]click and docstorage[.]link, and then redirected to legitimate file-sharing services, like temp[.]sh, where the SnipBot downloader was hosted. 

Different URL chains from the email to the downloader

Attackers used similar tactics in subsequent campaigns, creating new domains like publicshare[.]link to distribute different malware variants, demonstrating the attackers’ persistence and adaptability in targeting multiple victims.

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration

SnipBot is a new variant of the RomCom malware family that infects systems through a disguised executable file, using anti-sandbox tricks to avoid detection. It injects malicious code into legitimate processes. 

The malware communicates with its command and control server to receive commands and download additional payloads. These payloads can steal files, capture screenshots, establish network tunnels, and potentially perform other malicious activities. 

SnipBot execution flows from the initial EXE downloader to the main bot file single.dll.

The researchers at Palo Alto Networks analyzed several newer versions of a downloader, finding that they were similar in function but differed in implementation.

All samples were hosted on temp[.]sh and connected to various C2 domains to download payloads. 

The newest version used dynamic API resolution and removed window message-based obfuscation, while older versions employed window-related API functions and registry-based anti-sandbox techniques, and the earliest version, submitted in December 2023, used a PDF lure to trick victims into downloading the downloader.

Fake Adobe website leading to the SnipBot downloader.

Attackers initially conducted reconnaissance on the victim’s network using command-line tools and then exfiltrated sensitive files, including personal health data, using WinRAR and PuTTY. 

They encountered challenges during the exfiltration process and attempted to resolve them by downloading additional payloads. They also created a snapshot of the local AD database, though it’s unclear whether this succeeded.

Ultimately, the attackers abandoned the victim’s system, likely due to limited access to company resources.

Code flaw by using the API function CreateDirectoryA() twice.

The malware analysis reveals a poorly coded C++ application that utilizes multiple long functions to implement its functionalities.

The code exhibits minor errors, suggesting the attacker’s familiarity with Windows development but lack professional expertise. 

For instance, the redundant use of the CreateDirectoryA API function indicates a likely copy-paste mistake.

It provides the C2 and staging domain information, including their last active IP addresses, which are crucial for identifying and disrupting the malware’s communication channels.

Analyse AnySuspicious Links Using ANY.RUN's New Safe Browsing Tool: Try It for Free

Aman Mishra

Recent Posts

Resecurity introduces Government Security Operations Center (GSOC) at NATO Edge 2024

Resecurity, a global leader in cybersecurity solutions, unveiled its advanced Government Security Operations Center (GSOC)…

12 hours ago

Reserachers Uncovered Zloader DNS Tunneling Tactics For Stealthy C2 Communication

Zloader, a sophisticated Trojan, has recently evolved with features that enhance its stealth and destructive…

12 hours ago

US Charged Chinese Hackers for Exploiting Thousands of Firewall

The US Treasury Department's Office of Foreign Assets Control (OFAC) has sanctioned Sichuan Silence Information…

12 hours ago

DMD Diamond Launches Open Beta for v4 Blockchain Ahead of 2025 Mainnet

DMD Diamond - one of the oldest blockchain projects in the space has announced the start…

12 hours ago

Hackers Deploy Weaponized LNK Files for Malicious Payload Delivery

Researchers reported a phishing attack on December 4th, 2024, where malicious emails purportedly from the…

12 hours ago

APT-C-60 Hackers Penetrate Org’s Network Using a Weapanized Google Drive link

The Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) has confirmed an advanced cyber attack…

13 hours ago