A newly discovered variant of the RomCom malware, named SnipBot, has been identified in a wave of cyberattacks aimed at stealing sensitive data from compromised systems. According to a report, SnipBot infiltrates networks, allowing attackers to extract valuable information and move laterally within organizations.
Researchers uncovered SnipBot during a deep analysis of a specific DLL module used in these attacks. The malware’s recent campaigns appear to target a wide range of industries, including IT services, legal, and agriculture, all with the goal of extracting data and furthering network breaches.
RomCom itself is a known backdoor, previously associated with delivering Cuba ransomware in malicious advertising campaigns and phishing operations. In late 2023, a lighter, stealthier version known as RomCom 4.0 was released, which retained an array of capabilities such as file theft, command execution, registry modification, and secure communications via TLS.
Now considered RomCom 5.0, SnipBot builds upon its predecessor by incorporating 27 new commands. These commands allow attackers greater precision in data exfiltration, enabling them to target specific file types and directories. The stolen data is compressed using the 7-Zip tool, while archive payloads are also introduced to enhance evasion techniques.
SnipBot employs advanced evasion methods, including obfuscating its code through a sequence of custom window messages and implementing anti-sandboxing measures. The malware verifies system characteristics, such as checking hash values of executables and ensuring the existence of sufficient registry entries in “RecentDocs” and “Shell Bags.”
Furthermore, SnipBot’s core module, “single.dll,” is stored in an encrypted format within the Windows Registry and is loaded directly into memory. Additional components, like “keyprov.dll,” are also decrypted and executed in-memory after being downloaded from a command-and-control (C2) server, making detection and removal more challenging.
To protect against SnipBot and similar malware, organizations should implement strong cybersecurity practices, such as regularly patching software vulnerabilities and conducting network segmentation. Employing advanced endpoint detection and response (EDR) solutions can help identify malware in-memory, while limiting user permissions and continuously monitoring system logs can mitigate potential threats.