Hackers are weaponizing PDF files to deliver new Snapbot malware.

Hackers are increasingly weaponizing PDF files to deliver malware and launch cyber attacks.

They exploit the full presence and trustworthiness of PDFs to trick victims into opening malicious files that may contain malicious links, embedded code, or vulnerabilities that allow remote code execution.

Security experts at Palo Alto Networks recently pointed out that hackers are active. Weaponization of PDF files To deliver new SnipBot malware.

Hackers are weaponizing PDF files.

SnipBot is a newly discovered variant of “Rom workMalware family identified in April 2024 by Palo Alto Networks’ Advanced Wildfire Sandbox.

This sophisticated threat is designated as “RomCom 5.0” and combines features

  • Romcom 3.0
  • PEAPOD (RomCom 4.0)

While SnipBot uses a multi-stage infection process that starts with a signed executable disguised as a “PDF”.

It uses anti-sandbox techniques such as “checking process names” and “registry entries”.

The malware uses “window message-based control flow obfuscation” and “encrypted strings” to avoid detection.

AD 4nXdDarmn4lB7 hIknMFMnI7dCShsgOqz4V1GSgAKSeP6D Lt5t8ELQt6c HCoFnndL2ZsGNqEnoWGtRoNi7zTyo6GzlD LefcL4r1buCUngm0AoY7 A2tRVWg9XUwlu2DesiVb0mB JvklFlnOL1WeoKyVA?key=9YHlCICZgZb5y lr6LuU g
SnipBot Implementation Flow (Source – Palo Alto Networks)

In addition, it downloads additional payloads such as a DLL that injects code into Explorer.exe through “COM hijacking”.

SnipBot’s core functionality includes ‘a backdoor (single.dll)’ that creates a ‘SnipMutex’ and allows threat actors to ‘execute commands’, ‘upload/download files,’ and ‘deploy additional modules’. enables.’

Initially, there is a conversation with the malware. Command and Control (C2) Servers using domains such as “xeontime[. ]com” and “drvmcprotect[. ]com.”

While earlier versions of the malware used different tactics like ‘fake Adobe font installers’ and ‘C2 domains’ like ilogicflow.[. ]com and webtimeapi[. ]com.

AD 4nXcYn9LfV1q103Tjr 1k1ena6Hr9N1maO5cnufGv2yG8l 7MsgU0RuQ8k7vumFfm2ytte7d7wHWFv4q3i7VeBjxILkj SRDXPTPdb0axhOh9alEWxEQidEnqnSITwdckXo41nnLn9S0 Q47 lH2ao99hjbU?key=9YHlCICZgZb5y lr6LuU g
Fake Adobe website (Source – Palo Alto Networks)

The ongoing sophistication of cyber threats is illustrated by the evolution of SnipBot.

As SnipBot, various evasion techniques, payload delivery methods, and post-infection capabilities compromise systems and exfiltrate sensitive data.

Analysis of SnipBot’s post-infection activity, tracked by Cortex XDR telemetry, revealed a sophisticated attack sequence lasting approximately four hours on April 4.

The attacker, using the command-line functionality of SnipBot’s main module (single.dll), first probed the network to identify the domain controller.

They then attempted to extract files from the victim’s Documents, Downloads, and OneDrive folders on the server at 91.92.250.[.]104.

The attacker used PuTTY Secure Copy client (renamed dsutil.exe) for data transfer and AD Explorer and WinRAR (renamed fsutil.exe) for file compression, e.g. Used tools.

Targeted file types included standard system files and unusual health-related formats (ZBF, DCM).

Although there were problems, as evidenced by attempts to kill the PuTTY process, the attacker continued to the end and installed “config-pdf.dll”, which was downloaded from xeontime.[. ]com, and searched for commands on ethernet.[. ]com.

The attack ended with an attempt to snapshot the natives. Active Directory From database and archive files to c:\essential.

This holistic approach, combining custom malware (SnipBot), out-of-life techniques, and targeted data extraction, suggests a potential shift from financial motivations to espionage, as threat actors. But the results of CERT-UA have noted.

Analyze any suspicious links using ANY.RUN’s new safe browsing tool: Try it for free.



Source link