Inside SnipBot: The Latest RomCom Malware Variant

    Date: 09/24/2024

    Severity: High

    Summary

    We’ve uncovered a new variant of the RomCom malware family named SnipBot, revealing post-infection activity on victim systems for the first time. This strain employs unique obfuscation techniques alongside methods from earlier versions, RomCom 3.0 and PEAPOD (RomCom 4.0). In early April, our Advanced WildFire sandbox identified a suspicious DLL linked to the SnipBot toolkit. By analyzing the malware and leveraging Cortex XDR telemetry, we reconstructed the infection chain and the attacker’s actions.

    Indicators of Compromise (IOC) List

    Domains\URLs

    mcprotect.cloud

    cethernet.com

    certifysop.com

    docstorage.link

    fastshare.click

    olminx.com

    xeontime.com

    publicshare.link

    drv2ms.com

    sitepanel.top

    1drv.fileshare.direct

    drvmcprotect.com

    ilogicflow.com

    webtimeapi.com

    linedrv.com

    adobe.cloudcreative.digital

    IP Address

    91.92.250.104

    Hash

    cfb1e3cc05d575b86db6c85267a52d8f1e6785b106797319a72dd6d19b4dc317
    
    5390ba094cf556f9d7bbb00f90c9ca9e04044847c3293d6e468cb0aaeb688129
    
    5b30a5b71ef795e07c91b7a43b3c1113894a82ddffc212a2fa71eebc078f5118
    
    b9677c50b20a1ed951962edcb593cce5f1ed9c742bc7bff827a6fc420202b045
    
    0be3116a3edc063283f3693591c388eec67801cdd140a90c4270679e01677501
    
    2c327087b063e89c376fd84d48af7b855e686936765876da2433485d496cb3a4
    
    a2f2e88a5e2a3d81f4b130a2f93fb60b3de34550a7332895a084099d99a3d436
    
    57e59b156a3ff2a3333075baef684f49c63069d296b3b036ced9ed781fd42312
    
    1cb4ff70f69c988196052eaacf438b1d453bbfb08392e1db3df97c82ed35c154
    
    60d96087c35dadca805b9f0ad1e53b414bcd3341d25d36e0190f1b2bbfd66315
    
    e5812860a92edca97a2a04a3151d1247c066ed29ae6bbcf327d713fbad7e79e8
    
    f74ebf0506dc3aebc9ba6ca1e7460d9d84543d7dadb5e9912b86b843e8a5b671
    
    92c8b63b2dd31cf3ac6512f0da60dabd0ce179023ab68b8838e7dc16ef7e363d
    
    5c71601717bed14da74980ad554ad35d751691b2510653223c699e1f006195b8

    Registry Keys

    HKCU\SOFTWARE\AppDataSoft

    HKCU\SOFTWARE\AppDataHigh

    Directory Path 

    %LOCALAPPDATA%\KeyStore

    %LOCALAPPDATA%\DataCache

    %LOCALAPPDATA%\AppTemp

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\URLs

    userdomainname like "mcprotect.cloud" or url like "mcprotect.cloud" or userdomainname like "cethernet.com" or url like "cethernet.com" or userdomainname like "certifysop.com" or url like "certifysop.com" or userdomainname like "docstorage.link" or url like "docstorage.link" or userdomainname like "fastshare.click" or url like "fastshare.click" or userdomainname like "olminx.com" or url like "olminx.com" or userdomainname like "xeontime.com" or url like "xeontime.com" or userdomainname like "publicshare.link" or url like "publicshare.link" or userdomainname like "drv2ms.com" or url like "drv2ms.com" or userdomainname like "sitepanel.top" or url like "sitepanel.top" or userdomainname like "1drv.fileshare.direct" or url like "1drv.fileshare.direct" or userdomainname like "drvmcprotect.com" or url like "drvmcprotect.com" or userdomainname like "ilogicflow.com" or url like "ilogicflow.com" or userdomainname like "webtimeapi.com" or url like "webtimeapi.com"

    IP Address

    dstipaddress IN ("91.92.250.104") or ipaddress IN ("91.92.250.104") or publicipaddress IN ("91.92.250.104") or srcipaddress IN ("91.92.250.104")

    Hash

    sha256hash IN ("cfb1e3cc05d575b86db6c85267a52d8f1e6785b106797319a72dd6d19b4dc317","5390ba094cf556f9d7bbb00f90c9ca9e04044847c3293d6e468cb0aaeb688129","5b30a5b71ef795e07c91b7a43b3c1113894a82ddffc212a2fa71eebc078f5118","b9677c50b20a1ed951962edcb593cce5f1ed9c742bc7bff827a6fc420202b045","0be3116a3edc063283f3693591c388eec67801cdd140a90c4270679e01677501","2c327087b063e89c376fd84d48af7b855e686936765876da2433485d496cb3a4","a2f2e88a5e2a3d81f4b130a2f93fb60b3de34550a7332895a084099d99a3d436","57e59b156a3ff2a3333075baef684f49c63069d296b3b036ced9ed781fd42312","1cb4ff70f69c988196052eaacf438b1d453bbfb08392e1db3df97c82ed35c154","5c71601717bed14da74980ad554ad35d751691b2510653223c699e1f006195b8","60d96087c35dadca805b9f0ad1e53b414bcd3341d25d36e0190f1b2bbfd66315","92c8b63b2dd31cf3ac6512f0da60dabd0ce179023ab68b8838e7dc16ef7e363d","e5812860a92edca97a2a04a3151d1247c066ed29ae6bbcf327d713fbad7e79e8","f74ebf0506dc3aebc9ba6ca1e7460d9d84543d7dadb5e9912b86b843e8a5b671")

    Registry Key

    (resourcename = "Windows Security"  AND eventtype = "4657"  ) AND winmessage In ("HKCU\SOFTWARE\AppDataSoft","HKCU\SOFTWARE\AppDataHigh")

    Registry Key

    technologygroup = "EDR" AND winmessage In ("HKCU\SOFTWARE\AppDataSoft","HKCU\SOFTWARE\AppDataHigh")

    Directory Path

    (resourcename = "Windows Security"  AND eventtype = "4663"  ) AND winmessage In ("%LOCALAPPDATA%\KeyStore","%LOCALAPPDATA%\DataCache","%LOCALAPPDATA%\AppTemp")

    Directory Path

    technologygroup = "EDR" AND winmessage In ("%LOCALAPPDATA%\KeyStore","%LOCALAPPDATA%\DataCache","%LOCALAPPDATA%\AppTemp")

    Reference:

    https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/ 


    Tags

    MalwareBackdoorRomcomSnipBot

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags