Hackers Weaponizing PDF files To Deliver New SnipBot Malware

The RomCom malware family, particularly its SnipBot variant, has evolved into a sophisticated threat capable of ransomware, extortion, and targeted credential gathering.

It employs various attack methods, including PDF-based downloaders and executable payloads, to compromise victim systems. 

The threat actors behind RomCom have been active since at least 2022 and utilize stolen or fraudulently obtained code-signing certificates to enhance their malware’s legitimacy.

They employed a multi-stage email phishing campaign to deliver SnipBot malware by luring victims with malicious emails containing links that redirected to attacker-controlled domains, such as fastshare[.]click and docstorage[.]link, and then redirected to legitimate file-sharing services, like temp[.]sh, where the SnipBot downloader was hosted. 

Attackers used similar tactics in subsequent campaigns, creating new domains like publicshare[.]link to distribute different malware variants, demonstrating the attackers’ persistence and adaptability in targeting multiple victims.

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration

SnipBot is a new variant of the RomCom malware family that infects systems through a disguised executable file, using anti-sandbox tricks to avoid detection. It injects malicious code into legitimate processes. 

The malware communicates with its command and control server to receive commands and download additional payloads. These payloads can steal files, capture screenshots, establish network tunnels, and potentially perform other malicious activities. 

The researchers at Palo Alto Networks analyzed several newer versions of a downloader, finding that they were similar in function but differed in implementation.

All samples were hosted on temp[.]sh and connected to various C2 domains to download payloads. 

The newest version used dynamic API resolution and removed window message-based obfuscation, while older versions employed window-related API functions and registry-based anti-sandbox techniques, and the earliest version, submitted in December 2023, used a PDF lure to trick victims into downloading the downloader.

Attackers initially conducted reconnaissance on the victim’s network using command-line tools and then exfiltrated sensitive files, including personal health data, using WinRAR and PuTTY. 

They encountered challenges during the exfiltration process and attempted to resolve them by downloading additional payloads. They also created a snapshot of the local AD database, though it’s unclear whether this succeeded.

Ultimately, the attackers abandoned the victim’s system, likely due to limited access to company resources.

The malware analysis reveals a poorly coded C++ application that utilizes multiple long functions to implement its functionalities.

The code exhibits minor errors, suggesting the attacker’s familiarity with Windows development but lack professional expertise. 

For instance, the redundant use of the CreateDirectoryA API function indicates a likely copy-paste mistake.

It provides the C2 and staging domain information, including their last active IP addresses, which are crucial for identifying and disrupting the malware’s communication channels.

Analyse AnySuspicious Links Using ANY.RUN's New Safe Browsing Tool: Try It for Free