A newly identified variant of the RomCom malware, known as SnipBot, has been detected in cyberattacks where it is used to infiltrate networks and extract sensitive data from compromised systems.

Researchers from Palo Alto Networks' Unit 42 made this discovery after analyzing a dynamic-link library (DLL) module linked to SnipBot's activities.

Recent SnipBot operations appear to focus on a diverse range of victims across multiple industries, including IT services, legal firms, and agriculture, where the malware is used to steal data and spread within the network.

RomCom, a backdoor tool, has previously been associated with distributing Cuba ransomware in malvertising campaigns and conducting targeted phishing operations.

The earlier iteration of this malware, labeled RomCom 4.0 by Trend Micro in late 2023, featured a leaner and stealthier design compared to earlier versions while maintaining a powerful set of capabilities.

RomCom 4.0 could execute various commands such as file theft, payload delivery, Windows registry modification, and secure command-and-control (C2) communication through the TLS protocol.

SnipBot, which Unit 42 identifies as RomCom 5.0, introduces an extended suite of 27 commands, providing attackers with more control over data theft operations by specifying file types and directories to target, compressing stolen data via 7-Zip, and extracting archive payloads for evasion.

Moreover, SnipBot now uses window message-based control flow obfuscation, dividing its code into segments triggered by custom window messages to evade detection.

The latest version also features enhanced anti-sandboxing techniques, such as hash checks on executables and processes, as well as verification of registry entries, specifically ensuring the presence of at least 100 entries in "RecentDocs" and 50 sub-keys in the "Shell Bags" registry keys.

Notably, SnipBot’s primary module, "single.dll," is stored in an encrypted format within the Windows Registry and is loaded directly into memory. Additional modules, like "keyprov.dll," are downloaded from the C2 server, decrypted, and executed in memory.

Palo Alto’s Unit 42 was able to gather attack artifacts through VirusTotal, which helped trace SnipBot’s initial infection method.

The infection typically begins with phishing emails that direct recipients to download seemingly benign files, such as PDF documents, enticing them to click on malicious links. An older attack vector involved tricking victims into downloading a missing font from a fake Adobe site, which triggered a series of redirects across multiple malicious domains controlled by the attackers, eventually delivering a harmful executable.

Often, the downloaders used are signed with legitimate certificates to avoid detection by security software while fetching executables or DLLs from the C2 server. Attackers frequently use COM hijacking to inject malicious payloads into "explorer.exe," ensuring persistence even after system reboots.

Once inside a network, the threat actor gathers information about the company’s domain and network structure, followed by the theft of files from locations such as the Documents, Downloads, and OneDrive folders.

The second stage of the attack, according to Unit 42, involves using the AD Explorer tool to access and navigate Active Directory (AD), enabling further data extraction.

Exfiltration of the stolen data is carried out via the PuTTY Secure Copy client after the files are archived using WinRAR.Although the specific objectives of SnipBot and RomCom attacks remain unclear, Unit 42 suspects that the focus may have shifted from financial motives to espionage, given the nature of the victims involved.