RomCom Malware Resurfaces With SnipBot Variant

The RomCom cyber-espionage malware that rampaged through the Ukraine military and its supporters last year has resurfaced with a new variant. It leverages valid code-signing certificates to fly under the radar, allowing attackers to execute commands and download additional malicious files onto a victim's system in a multistage attack.

The variant, called SnipBot by researchers at Palo Alto's Unit 42, appears to have been spreading since December, picking up where the last version of RomCom left off, they revealed in analysis published this week. The malware is based on RomCom 3.0., but it also shares techniques already seen in RomCom 4.0, making it version 5.0 of the original RomCom remote access Trojan (RAT) family.

Earlier attacks of the actor behind RomCom — which also targeted supporters of Ukraine — often included ransomware payloads in addition to cyber-espionage activities. However, Unit 42 now believes that the attackers behind the malware have pivoted away from financial gain to exclusively focusing on intelligence-gathering, according to the post.

Even so, "the attacker's intentions are difficult to discern given the variety of targeted victims, which include organizations in sectors such as IT services, legal, and agriculture," Unit 42's Yaron Samuel and Dominik Reichel wrote in the analysis.

Related:Dark Reading News Desk Live From Black Hat USA 2024

Email Kicks Off Initial RomCom Attack

SnipBot first appears in either an executable downloadable file masquerading as a PDF, or as an actual PDF file sent to a victim in a phishing email that leads to an executable. The malware includes "a basic set of features that allows the attacker to run commands on a victim's system and download additional modules," the researchers wrote.

The PDF file shows distorted text that states a font is missing that's needed to show it correctly.

"If the victim clicks on the contained link that’s purported to download and install the font package, they will instead download the SnipBot downloader," the researchers wrote.

The malware itself is composed of several stages, with the executable file followed by remaining payloads that are either further executables or DLL files. Moreover, the downloader for the malware is always signed with a legitimate and valid code-signing certificate, the researchers noted.

"We don’t know how the threat actors obtain these certificates, but it's likely they steal them or gain them by fraud," they observed, adding that subsequent modules of the initial SnipBot malware were not signed.

SnipBot's Infection Vector

Related:Meet UNC1860: Iran's Low-Key Access Broker for State Hackers

As mentioned, the downloader that delivers SnipBot is signed with a presumably stolen or spoofed certificate and also is obfuscated with a window message-based control-flow obfuscation algorithm; the malware's code is split up into multiple unordered blocks that are triggered by custom window messages.

The downloader also uses "two simple yet effective" anti-sandbox tricks, the researchers wrote. "The first one checks for the original file name by comparing the hashed process name against a hard-coded value," while the second one checks whether there are at least 100 entries in a particular Microsoft Windows registry, "which is usually the case on a regular user’s system but less likely to be the case in a sandbox system," they wrote.

Upon execution, the downloader contacts various command-and-control (C2) domains to retrieve a PDF file, and then subsequent payloads to the infected machine, the first of which provides spyware capability. Ultimately, the main module of SnipBot provides the attacker with command-line, uploading, and downloading capabilities on a victim’s system, as well as the ability download and execute additional payloads from C2.

Unit 42 also witnessed post-infection activity aiming to gather information about the company's internal network as well as attempts to exfiltrate a list of different files from the victim’s documents, downloads, and OneDrive folders to an external, attacker-controlled server.

Related:Mastercard's Bet on Recorded Future a Win for Cyber-Threat Intel

RomCom Remains an Active Threat

The threat actor wielding RomCom has been active since at least 2022, and engages in various nefarious activities, including ransomware, extortion, and targeted credential gathering, likely to support intelligence-gathering operations. As mentioned, the threat actor seems to now be moving away from its previous financially motivated activities to engage exclusively in cyber espionage.

As SnipBot demonstrates an evolution in threat capabilities with novel obfuscation methods as well as post-exploitation activity, Unit 42 stressed "the need for organizations to remain vigilant and adopt advanced security measures to protect their systems and data from evolving cyberthreats," the researchers noted in their analysis.

Given the RomCom threat actor's interest in cyber espionage against Ukraine and its supporters, the Computer Emergency Response Team of Ukraine (CERT-UA) also has published information about the threat group and how it operates.

"This group is actively attacking employees of defense enterprises and the Defense Forces of Ukraine, constantly updating its malware arsenal, but their malicious activities are not limited to Ukraine," the agency warned.

CERT-UA advised organizations that may be targeted to remain vigilant about emails from unknown senders, even if they present themselves as a government employee, and to refrain from downloading or opening suspicious files.