New RomCom malware variant 'SnipBot' spotted in data theft attacks - #RomCom
Researchers at Palo Alto Network's Unit 42 have identified a new variant of the RomCom malware called SnipBot, which targets sectors such as IT services, legal, and agriculture for data theft. This version, RomCom 5.0, includes 27 new commands that enhance data exfiltration operations and employs sophisticated obfuscation and anti-sandboxing techniques to evade detection. SnipBot's main module is encrypted in the Windows Registry, and additional modules are downloaded and executed in memory. The initial infection vector often involves phishing emails and fake websites, such as a fake Adobe site used to trick victims into downloading malware. Once a system is compromised, the malware collects network information and steals specific file types, using various tools for further discovery and data exfiltration. The attackers' motives appear to have shifted from financial gain to potential espionage activities.