September 24, 2024 at 08:10AM
The RomCom malware, now in its SnipBot variant, has resurfaced, leveraging code-signing certificates for stealth. The cyberespionage threat targets victims through phishing emails, with malicious PDF files or executables. Its evolving obfuscation methods and post-exploitation activities highlight the need for advanced security measures to counter this ongoing threat.
The meeting notes discuss the resurgence of the RomCom cyberespionage malware, now in the form of a new variant called SnipBot. This malware leverages valid code-signing certificates to avoid detection and execute commands, download additional malicious files, and conduct multi-stage attacks on victims’ systems. The attackers behind SnipBot have shifted focus from financial gain to intelligence-gathering, targeting victims in various sectors including IT services, legal, and agriculture.
SnipBot is distributed through phishing emails, appearing either as an executable file masquerading as a PDF or as an actual PDF file that leads to an executable. The malware is designed to trick victims into downloading it by displaying distorted text and prompting them to install a fake font package, which instead downloads SnipBot. The malware consists of several stages, and the downloader is signed with a valid code-signing certificate, likely obtained through theft or fraud. Upon execution, the malware contacts command-and-control domains to retrieve payloads, providing the attacker with various capabilities such as command-line control, uploading and downloading files, and post-exploitation activities.
The RomCom threat actor, which is responsible for SnipBot, has been active since at least 2022 and has historically engaged in activities such as ransomware, extortion, and targeted credential gathering. However, the attackers now seem to be exclusively focused on cyberespionage. Organizations are advised to remain vigilant and adopt advanced security measures to protect against evolving cyberthreats, particularly those related to RomCom. Additionally, the Computer Emergency Response Team of Ukraine (CERT-UA) has published information about the threat group and advises organizations to be cautious about emails from unknown senders, even if they claim to be government employees, and to avoid downloading or opening suspicious files.