26 September 2024

New RomCom variant spotted in espionage campaigns


New RomCom variant spotted in espionage campaigns

A new variant of the RomCom Remote Access Trojan (RAT) family, dubbed SnipBot, has emerged equipped with new capabilities. Spreading since last December, the most recent variant uses valid code-signing certificates to evade detection, enabling attackers to execute commands and download additional malicious files in a multistage attack, according to researchers from Palo Alto Networks' Unit 42.

SnipBot is based on the RomCom 3.0 framework but incorporates techniques from RomCom 4.0, effectively making it version 5.0 of RomCom.

The most notable characteristic of SnipBot is its ability to ‘fly under the radar’ by utilizing valid code-signing certificates. The initial downloader for the malware is consistently signed with a legitimate certificate, which the attackers likely obtained either through certificate theft or fraudulent means. This signing mechanism allows the malware to bypass many traditional security measures that rely on the integrity of signed software, making it harder to detect.

Researchers noted that while the initial downloader is signed, subsequent payloads, which include executable files (EXEs) and dynamic link libraries (DLLs), are unsigned. This multistage approach increases the malware's stealth and persistence on targeted systems.

SnipBot’s infection process is highly structured and takes place over multiple stages. The infection process typically begins with a phishing email, often containing a link that redirects multiple times before leading to the SnipBot downloader. The initial download often disguises itself as an innocent-looking PDF file or executable masquerading as a legitimate document, tricking victims into opening the malicious file.

Once the initial file is executed, further payloads are downloaded, allowing attackers to expand their foothold on the system. These payloads can vary from further executable files to DLLs, depending on the objectives of the campaign.

RomCom, the malware family behind SnipBot, has been evolving since its discovery in 2022. Initially used for ransomware and extortion, RomCom has gradually incorporated more sophisticated techniques, with a focus on credential harvesting and intelligence-gathering operations.

Previously, the RomCom malware was observed in malicious campaigns targeting Ukrainian government and military.

Back to the list

Latest Posts

Hackers hijack high-level accounts and sensitive data of JAXA’s execs

Hackers hijack high-level accounts and sensitive data of JAXA’s execs

The attackers commandeered roughly 200 accounts, including those of senior officials and members of JAXA’s leadership team.
7 October 2024
Over 100 orgs breached in BabyLockerKZ ransomware attacks

Over 100 orgs breached in BabyLockerKZ ransomware attacks

BabyLockerKZ is an updated variant of the MedusaLocker ransomware.
7 October 2024
Chinese hackers reportedly compromise US court wiretap systems

Chinese hackers reportedly compromise US court wiretap systems

The attack targeted major US telecom companies including Verizon, AT&T, and Lumen Technologies.
7 October 2024