Morphisec discovered snip3 crypter, a evasive RAT loader

May 14, 2021 11:28 GMT  ·  By

Microsoft emitted an alert regarding a Remote Access Tool (RAT) dubbed RevengeRAT. The malware has been used to send out spear-phishing emails targeting aerospace and travel industries. 

RevengeRAT, also known as AsyncRAT, is distributed by carefully crafted email messages that instruct recipients to open a file that looks like an Adobe PDF attachment but actually installs a malicious visual basic (VB) file.

Morphisec, a cybersecurity organization, recently identified the two malware as part of a sophisticated Crypter-as-a-Service that pushes several RAT families.

Microsoft states that phishing emails spread a loader that delivers RevengeRAT or AsyncRAT. Besides, Morphisec says it also pushes the RAT Agent Tesla.

As reported by Microsoft, "The campaign uses emails that spoof legitimate organizations, with lures relevant to aviation, travel, or cargo. An image posing as a PDF file contains an embedded link (typically abusing legitimate web services) that downloads a malicious VBScript, which drops the RAT payloads".

Morphisec called the cryptor service "Snip3" after a username discovered in earlier malware variants.

Snip3 malware avoids loading RATs if executed in Windows Sandbox 

Snip3 has been designed to avoid loading a RAT if it detects it is executed within Windows Sandbox. This feature allows advanced users to run potentially malicious files within a safe sandbox that does not interact with the host OS. This malware acts the same if it detects that is executed in a virtual machine environment.

Morphisec notes "If the script identifies one of those virtual machine environments, the script terminates without loading the RAT payload."

However, if the RAT is installed, it connects to a command and control (C2) server, and retrieve more malware from websites like pastebin.

The existence of a RAT on any device is undesirable since it can steal passwords, photographs, and videos from a webcam, as well as anything else, found on the system clipboard.

Microsoft has made advanced hunting queries available on GitHub for security teams to use if they detect these threats on their network.

Photo Gallery (2 Images)

Snip3 Malware
Snip3 Malware
Open gallery