Date: 09/24/2024
Severity: High
Summary
We’ve uncovered a new variant of the RomCom malware family named SnipBot, revealing post-infection activity on victim systems for the first time. This strain employs unique obfuscation techniques alongside methods from earlier versions, RomCom 3.0 and PEAPOD (RomCom 4.0). In early April, our Advanced WildFire sandbox identified a suspicious DLL linked to the SnipBot toolkit. By analyzing the malware and leveraging Cortex XDR telemetry, we reconstructed the infection chain and the attacker’s actions.
Indicators of Compromise (IOC) List
Domains\URLs | mcprotect.cloud cethernet.com certifysop.com docstorage.link fastshare.click olminx.com xeontime.com publicshare.link drv2ms.com sitepanel.top 1drv.fileshare.direct drvmcprotect.com ilogicflow.com webtimeapi.com linedrv.com adobe.cloudcreative.digital |
IP Address | 91.92.250.104 |
Hash |
cfb1e3cc05d575b86db6c85267a52d8f1e6785b106797319a72dd6d19b4dc317
5390ba094cf556f9d7bbb00f90c9ca9e04044847c3293d6e468cb0aaeb688129
5b30a5b71ef795e07c91b7a43b3c1113894a82ddffc212a2fa71eebc078f5118
b9677c50b20a1ed951962edcb593cce5f1ed9c742bc7bff827a6fc420202b045
0be3116a3edc063283f3693591c388eec67801cdd140a90c4270679e01677501
2c327087b063e89c376fd84d48af7b855e686936765876da2433485d496cb3a4
a2f2e88a5e2a3d81f4b130a2f93fb60b3de34550a7332895a084099d99a3d436
57e59b156a3ff2a3333075baef684f49c63069d296b3b036ced9ed781fd42312
1cb4ff70f69c988196052eaacf438b1d453bbfb08392e1db3df97c82ed35c154
60d96087c35dadca805b9f0ad1e53b414bcd3341d25d36e0190f1b2bbfd66315
e5812860a92edca97a2a04a3151d1247c066ed29ae6bbcf327d713fbad7e79e8
f74ebf0506dc3aebc9ba6ca1e7460d9d84543d7dadb5e9912b86b843e8a5b671
92c8b63b2dd31cf3ac6512f0da60dabd0ce179023ab68b8838e7dc16ef7e363d
5c71601717bed14da74980ad554ad35d751691b2510653223c699e1f006195b8 |
Registry Keys | HKCU\SOFTWARE\AppDataSoft HKCU\SOFTWARE\AppDataHigh |
Directory Path | %LOCALAPPDATA%\KeyStore %LOCALAPPDATA%\DataCache %LOCALAPPDATA%\AppTemp |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Domains\URLs | userdomainname like "mcprotect.cloud" or url like "mcprotect.cloud" or userdomainname like "cethernet.com" or url like "cethernet.com" or userdomainname like "certifysop.com" or url like "certifysop.com" or userdomainname like "docstorage.link" or url like "docstorage.link" or userdomainname like "fastshare.click" or url like "fastshare.click" or userdomainname like "olminx.com" or url like "olminx.com" or userdomainname like "xeontime.com" or url like "xeontime.com" or userdomainname like "publicshare.link" or url like "publicshare.link" or userdomainname like "drv2ms.com" or url like "drv2ms.com" or userdomainname like "sitepanel.top" or url like "sitepanel.top" or userdomainname like "1drv.fileshare.direct" or url like "1drv.fileshare.direct" or userdomainname like "drvmcprotect.com" or url like "drvmcprotect.com" or userdomainname like "ilogicflow.com" or url like "ilogicflow.com" or userdomainname like "webtimeapi.com" or url like "webtimeapi.com" |
IP Address | dstipaddress IN ("91.92.250.104") or ipaddress IN ("91.92.250.104") or publicipaddress IN ("91.92.250.104") or srcipaddress IN ("91.92.250.104") |
Hash |
sha256hash IN ("cfb1e3cc05d575b86db6c85267a52d8f1e6785b106797319a72dd6d19b4dc317","5390ba094cf556f9d7bbb00f90c9ca9e04044847c3293d6e468cb0aaeb688129","5b30a5b71ef795e07c91b7a43b3c1113894a82ddffc212a2fa71eebc078f5118","b9677c50b20a1ed951962edcb593cce5f1ed9c742bc7bff827a6fc420202b045","0be3116a3edc063283f3693591c388eec67801cdd140a90c4270679e01677501","2c327087b063e89c376fd84d48af7b855e686936765876da2433485d496cb3a4","a2f2e88a5e2a3d81f4b130a2f93fb60b3de34550a7332895a084099d99a3d436","57e59b156a3ff2a3333075baef684f49c63069d296b3b036ced9ed781fd42312","1cb4ff70f69c988196052eaacf438b1d453bbfb08392e1db3df97c82ed35c154","5c71601717bed14da74980ad554ad35d751691b2510653223c699e1f006195b8","60d96087c35dadca805b9f0ad1e53b414bcd3341d25d36e0190f1b2bbfd66315","92c8b63b2dd31cf3ac6512f0da60dabd0ce179023ab68b8838e7dc16ef7e363d","e5812860a92edca97a2a04a3151d1247c066ed29ae6bbcf327d713fbad7e79e8","f74ebf0506dc3aebc9ba6ca1e7460d9d84543d7dadb5e9912b86b843e8a5b671") |
Registry Key | (resourcename = "Windows Security" AND eventtype = "4657" ) AND winmessage In ("HKCU\SOFTWARE\AppDataSoft","HKCU\SOFTWARE\AppDataHigh") |
Registry Key | technologygroup = "EDR" AND winmessage In ("HKCU\SOFTWARE\AppDataSoft","HKCU\SOFTWARE\AppDataHigh") |
Directory Path | (resourcename = "Windows Security" AND eventtype = "4663" ) AND winmessage In ("%LOCALAPPDATA%\KeyStore","%LOCALAPPDATA%\DataCache","%LOCALAPPDATA%\AppTemp") |
Directory Path | technologygroup = "EDR" AND winmessage In ("%LOCALAPPDATA%\KeyStore","%LOCALAPPDATA%\DataCache","%LOCALAPPDATA%\AppTemp") |
Reference:
https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/