Palo Alto Networks has discovered a new version of the RomCom malware called SnipBot, which uses advanced methods to steal data and infect systems in various industries.
Researchers at Palo Alto Network's Unit 42 have uncovered a new variant of the RomCom malware, named SnipBot, which has been used in a series of data theft attacks. This new strain has been observed targeting sectors like IT services, legal, and agriculture, using sophisticated techniques to infiltrate systems, steal sensitive data, and move laterally within networks.
See also: HIPAA Compliant Email: The Definitive Guide
SnipBot, believed to be the latest version of RomCom (RomCom 5.0), builds upon its predecessor, RomCom 4.0, which was known for delivering Cuba ransomware in phishing campaigns. This new variant includes an extended set of 27 commands that give operators enhanced control over data theft operations. These commands allow attackers to target specific file types, compress stolen data using 7-Zip, and introduce archive payloads for evasion.
SnipBot also employs advanced obfuscation techniques, such as window message-based control flow, which divides its code into blocks triggered in sequence, making it harder to detect. Additionally, anti-sandboxing measures like hash checks and verifying the existence of certain registry entries help the malware evade security tools.
One of SnipBot's key features is its ability to load its main module, single.dll, from the Windows Registry in an encrypted form, executing it directly from memory. Additional modules, such as keyprov.dll, are similarly downloaded and executed in memory, making detection even more challenging.
Related: What is a botnet?
Palo Alto Networks provided a detailed executive summary of their discovery, noting, "We recently discovered a novel version of the RomCom malware family called SnipBot and, for the first time, show post-infection activity from the attacker on a victim system. This new strain uses unique code obfuscation methods alongside techniques seen in previous RomCom versions."
The researchers explained how the discovery unfolded, stating, "In early April, our sandbox Advanced WildFire uncovered an unusual DLL module that turned out to be part of the broader tool set known as SnipBot. By examining the malware sample and utilizing Cortex XDR telemetry data, we were able to reconstruct the infection chain and track the attacker’s actions."
Palo Alto Networks also collaborated with other cybersecurity firms: "In collaboration with Sophos, which initially found this new RomCom version in February during an incident, we investigated the malware’s capabilities and gathered knowledge about the attackers' activities."
While the ultimate objective of the attackers remains unclear, Unit 42 emphasized that SnipBot enables attackers to execute commands and download additional modules. "This new version is based primarily on RomCom 3.0 but includes techniques from PEAPOD (RomCom 4.0), leading us to classify it as RomCom 5.0," they added.
The emergence of SnipBot as a new variant of the RomCom malware demonstrates the increasing sophistication of cyber threats. As it targets a broad range of sectors and leverages advanced data exfiltration and evasion techniques, organizations need to be vigilant. Robust email security, frequent system scans, and an updated defense strategy are essential to mitigating the risk of these evolving malware attacks.
Malware is malicious software designed to damage, disrupt, or gain unauthorized access to computer systems or networks. It includes viruses, worms, ransomware, spyware, and other harmful programs.
Malware can spread through phishing emails, infected attachments, malicious websites, software downloads, or network vulnerabilities. It can also propagate via USB drives or other external media.
Common signs include slow computer performance, frequent crashes, unexpected pop-ups, unauthorized access to files, unusual network activity, and altered settings without your consent.
See also: How to identify and prevent malware in healthcare