Snipbot

SnipBot is a malicious software program that was first identified in Ukraine and submitted to VirusTotal in December 2023. It uses a custom obfuscation technique and advanced anti-analysis tricks to infiltrate systems undetected. The malware's execution flow begins with an initial EXE downloader, which is typically downloaded from a temporary URL posing as an Adobe Font Pack. This downloader subsequently installs the main SnipBot file, single.dll. The SnipBot malware employs several deceptive techniques to trick users into downloading it. One of these methods involves a PDF lure document that leads unsuspecting users to the SnipBot downloader. Another tactic includes a fake Adobe website that presents a download dialog for the SnipBot downloader. Interestingly, the malware also downloads a legitimate font file named AdSlavicF.ttf to the same directory as the SnipBot downloader and installs it via InstallFontFile from the Windows library fontext.dll, likely as a cover for its malicious activities. Once installed, the main SnipBot file, single.dll, acts as a backdoor, giving the attacker multiple options to execute commands or download and run additional payloads. This provides the attacker with extensive control over the infected system. In our investigations, we discovered another chain of links likely used by the same attacker to deliver a similar variant of the SnipBot downloader, indicating that the threat actor is continuously evolving their tactics and tools.