The recent resurgence of the RomCom cyber-espionage malware has researchers on high alert as a new variant of the malicious software has been discovered. Known as SnipBot, this malware is the latest iteration of the RomCom family, which targeted the Ukraine military and its supporters in a rampage last year. The new variant is more sophisticated, utilizing valid code-signing certificates to avoid detection while carrying out nefarious activities on victims’ systems in a multistage attack.
According to researchers at Palo Alto’s Unit 42, SnipBot has been spreading since December and builds upon the techniques seen in previous versions of RomCom. This latest variant combines elements from RomCom 3.0 and RomCom 4.0, making it version 5.0 of the original RomCom remote access Trojan (RAT) family. The malware is designed to execute commands, download additional malicious files, and gather intelligence from targeted organizations, which include those in sectors such as IT services, legal, and agriculture.
Previous iterations of RomCom included ransomware payloads, but Unit 42 believes that the attackers behind the malware have shifted their focus exclusively to intelligence-gathering. This change in tactics has made it challenging to discern the attackers’ intentions given the wide range of targeted victims. Despite this shift, the threat posed by RomCom and its variants remains ever-present, with the threat actor engaging in various nefarious activities to support their intelligence-gathering operations.
The infection vector of SnipBot involves the delivery of the malware through phishing emails containing either an executable file disguised as a PDF or an actual PDF file that leads to an executable. The malware is designed to run commands on victims’ systems, download additional modules, and establish a foothold for further malicious activities. The use of valid code-signing certificates in the malware’s downloader suggests that the threat actors may have stolen or obtained them through fraudulent means.
Once installed on a victim’s system, SnipBot contacts command-and-control (C2) domains to retrieve additional payloads and establish communication with the attackers. These payloads provide the attacker with various capabilities, including spyware functionality, command-line access, and the ability to upload and download files from the victim’s system. Post-infection activities observed by Unit 42 include attempts to gather information about the victim’s internal network and exfiltrate sensitive data to external servers controlled by the attackers.
As the threat landscape continues to evolve, organizations are urged to remain vigilant and adopt advanced security measures to protect their systems and data from cyberthreats like RomCom. The Computer Emergency Response Team of Ukraine (CERT-UA) has also issued warnings about the threat posed by RomCom and advised organizations to be cautious when dealing with emails from unknown senders, especially those purporting to be government officials. By staying informed and implementing robust cybersecurity practices, organizations can defend against sophisticated threats like RomCom and safeguard their sensitive information.