New RomCom Variant Spotted: A Comparative and Expansion Analysis of IoCs

November 23, 2024November 23, 2024 CircleID

Summary:
The RomCom malware has evolved into a new variant known as Snipbot or RomCom 5.0, which employs advanced techniques to evade detection and extort government agencies. This version utilizes valid code signing certificates to appear trustworthy, allowing it to execute commands and steal data. A comparative analysis of IoCs across different RomCom versions revealed numerous malicious domains and IP addresses.
#RomComMalware #ThreatIntelligence #MalwareEvolution

Keypoints:

RomCom malware has resurfaced as Snipbot or RomCom 5.0, targeting government agencies.
Snipbot is stealthier than previous versions and uses valid code signing certificates.
Comparative analysis of IoCs from RomCom versions 3.0, 4.0, and Snipbot revealed numerous malicious indicators.
42 of the 56 RomCom 3.0 IoCs were retained after WHOIS analysis.
Recent Snipbot domains were registered in late 2023 but detected in early 2024.
Geolocation of IoCs showed concentration in nearby countries.
82 domain IoCs were queried, revealing additional email-connected domains and IP addresses associated with threats.
Downloadable findings and artifacts are available on the research website.

MITRE Techniques

Initial Access (T1193): Utilizes phishing techniques to deliver malware through fake online tools.
Execution (T1203): Executes commands and downloads additional modules post-infection.
Persistence (T1547): Uses valid code signing certificates to maintain a presence on compromised systems.
Command and Control (T1071): Establishes communication with compromised systems to execute further commands.

IoC:

No IoC Found

Full Research: https://circleid.com/posts/new-romcom-variant-spotted-a-comparative-and-expansion-analysis-of-iocs

Tags: INITIAL ACCESS, GOVERNMENT, full, PERSISTENCE, EMAIL, PHISHING