Snipbot

Malware updated a month ago (2024-11-29T13:56:12.783Z)
Download STIX
Preview STIX
SnipBot is a malicious software program that was first identified in Ukraine and submitted to VirusTotal in December 2023. It uses a custom obfuscation technique and advanced anti-analysis tricks to infiltrate systems undetected. The malware's execution flow begins with an initial EXE downloader, which is typically downloaded from a temporary URL posing as an Adobe Font Pack. This downloader subsequently installs the main SnipBot file, single.dll. The SnipBot malware employs several deceptive techniques to trick users into downloading it. One of these methods involves a PDF lure document that leads unsuspecting users to the SnipBot downloader. Another tactic includes a fake Adobe website that presents a download dialog for the SnipBot downloader. Interestingly, the malware also downloads a legitimate font file named AdSlavicF.ttf to the same directory as the SnipBot downloader and installs it via InstallFontFile from the Windows library fontext.dll, likely as a cover for its malicious activities. Once installed, the main SnipBot file, single.dll, acts as a backdoor, giving the attacker multiple options to execute commands or download and run additional payloads. This provides the attacker with extensive control over the infected system. In our investigations, we discovered another chain of links likely used by the same attacker to deliver a similar variant of the SnipBot downloader, indicating that the threat actor is continuously evolving their tactics and tools.
Description last updated: 2024-10-17T12:28:32.728Z
What's your take? (Question 1 of 2)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
RomCom is a possible alias for Snipbot. RomCom, a malicious software, has been identified as a significant cyber threat. Reports from third-party and open-source intelligence since spring 2022 have indicated a connection between RomCom Remote Access Trojan (RAT) actors, Cuba ransomware actors, and Industrial Spy ransomware actors. The mal
3
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Downloader
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Snipbot Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more