A new variant of the RomCom Remote Access Trojan (RAT) family, dubbed SnipBot, has emerged equipped with new capabilities. Spreading since last December, the most recent variant uses valid code-signing certificates to evade detection, enabling attackers to execute commands and download additional malicious files in a multistage attack, according to researchers from Palo Alto Networks' Unit 42.
SnipBot is based on the RomCom 3.0 framework but incorporates techniques from RomCom 4.0, effectively making it version 5.0 of RomCom.
The most notable characteristic of SnipBot is its ability to ‘fly under the radar’ by utilizing valid code-signing certificates. The initial downloader for the malware is consistently signed with a legitimate certificate, which the attackers likely obtained either through certificate theft or fraudulent means. This signing mechanism allows the malware to bypass many traditional security measures that rely on the integrity of signed software, making it harder to detect.
Researchers noted that while the initial downloader is signed, subsequent payloads, which include executable files (EXEs) and dynamic link libraries (DLLs), are unsigned. This multistage approach increases the malware's stealth and persistence on targeted systems.
SnipBot’s infection process is highly structured and takes place over multiple stages. The infection process typically begins with a phishing email, often containing a link that redirects multiple times before leading to the SnipBot downloader. The initial download often disguises itself as an innocent-looking PDF file or executable masquerading as a legitimate document, tricking victims into opening the malicious file.
Once the initial file is executed, further payloads are downloaded, allowing attackers to expand their foothold on the system. These payloads can vary from further executable files to DLLs, depending on the objectives of the campaign.
RomCom, the malware family behind SnipBot, has been evolving since its discovery in 2022. Initially used for ransomware and extortion, RomCom has gradually incorporated more sophisticated techniques, with a focus on credential harvesting and intelligence-gathering operations.
Previously, the RomCom malware was observed in malicious campaigns targeting Ukrainian government and military.