September 26, 2024 at 05:32PM
Unit 42 researchers discovered a new variant of the RomCom malware, named SnipBot, used in attacks targeting diverse sectors to steal data and pivot on networks. It employs an extended set of 27 commands for data exfiltration and evades sandboxes through various techniques. Initial vectors include phishing emails and fake download links. The threat actor’s goal appears to have shifted from financial gain to espionage operations.
Based on the provided meeting notes, here are the key takeaways:
1. A new variant of the RomCom malware called SnipBot has been discovered by Palo Alto Network’s Unit 42 researchers. This new version of the malware has extended capabilities and employs advanced evasion and anti-sandboxing techniques.
2. SnipBot’s attack campaigns target various sectors including IT services, legal, and agriculture, with the objective of stealing data and pivoting on the network.
3. The initial infection vector typically involves phishing emails containing links to download seemingly innocuous files, along with fake Adobe websites and malicious executable downloaders from file-sharing platforms.
4. After compromising a system, the threat actor collects information about the company network and domain controller, steals specific file types from directories, and exfiltrates the targeted data using various tools such as PuTTY Secure Copy client and WinRAR.
5. The attacker’s goal is suspected to have shifted from financial gain to espionage operations due to the set of victims targeted in SnipBot and RomCom attacks.
These takeaways summarize the key points from the meeting notes and provide a clear understanding of the SnipBot malware and its attack methods.