SnatchLoader is known as a downloader malware - it is responsible for delivering additional malware threats on a machine that it has already managed to compromise. The development of SnatchLoader has seen some period of low activity, but the threat has been observed as part of active attack campaigns such as delivering the banking Trojan Ramnit. While not unique, a curious characteristic of this downloader malware is that is equipped with 'geo-blocking.' In practice, this results in the malware executing in some countries while, in others, it simply terminates itself. The researchers who analyzed a sample of SnatchLoader determined that the UK and Italy were among the viable targets while users in France, the US, and Hong Kong were safe.
To perform Windows API calls, SnatchLoader uses a function name hashing at run time. As for handling the communication with its Command-and-Control (C2, C&C) infrastructure, it employs HTTPS. Four different request types were isolated by infosec researchers.
First, SnatchLoader makes a 'get dynamic config' request, followed by a 'send system information' request. In this step, the malware sends various system data to the hackers' server. Among the exfiltrated data are details such as Windows versions, architecture, username, computer name, user agent, list of processes, etc.
To check for any commands from the hackers, SnatchLoader makes a 'command poll' request. Due to its nature as a loader, the commands are mainly for various ways to download and execute additional malware modules - executed normally, injected into explorer.exe, or executed via rundll32. The researchers also observed a plugin functionality from SnatchLoader for a Monero crypto-mining threat. The last request to the C2 is used to send the results of performing a specific command.