Snip3
Snip3 is a sophisticated crypter-as-a-service that has been used since at least 2021 to obfuscate and load numerous strains of malware including AsyncRAT, Revenge RAT, Agent Tesla, and NETWIRE.[1][2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1047 | Windows管理规范 |
Snip3 can query the WMI class |
|
| Enterprise | T1140 | 反混淆/解码文件或信息 |
Snip3 can decode its second-stage PowerShell script prior to execution.[1] |
|
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
Snip3 can create a VBS file in startup to persist after system restarts.[2] |
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell |
Snip3 can use a PowerShell script for second-stage execution.[1][2] |
| .005 | 命令与脚本解释器: Visual Basic |
Snip3 can use visual basic scripts for first-stage execution.[1][2] |
||
| Enterprise | T1104 | 多阶段信道 |
Snip3 can download and execute additional payloads and modules over separate communication channels.[1][2] |
|
| Enterprise | T1189 | 浏览器攻击 |
Snip3 has been delivered to targets via downloads from malicious domains.[2] |
|
| Enterprise | T1027 | 混淆文件或信息 |
Snip3 has the ability to obfuscate strings using XOR encryption.[1] |
|
| .001 | Binary Padding |
Snip3 can obfuscate strings using junk Chinese characters.[1] |
||
| Enterprise | T1204 | .001 | 用户执行: Malicious Link |
Snip3 has been executed through luring victims into clicking malicious links.[2] |
| .002 | 用户执行: Malicious File |
Snip3 can gain execution through the download of visual basic files.[1][2] |
||
| Enterprise | T1082 | 系统信息发现 |
Snip3 has the ability to query |
|
| Enterprise | T1102 | 网络服务 |
Snip3 can download additional payloads from web services including Pastebin and top4top.[1] |
|
| Enterprise | T1497 | .001 | 虚拟化/沙盒规避: System Checks |
Snip3 has the ability to detect Windows Sandbox, VMWare, or VirtualBox by querying |
| .003 | 虚拟化/沙盒规避: Time Based Evasion |
Snip3 can execute |
||
| Enterprise | T1105 | 输入工具传输 |
Snip3 can download additional payloads to compromised systems.[1][2] |
|
| Enterprise | T1055 | .012 | 进程注入: Process Hollowing |
Snip3 can use RunPE to execute malicious payloads within a hollowed Windows process.[1][2] |
| Enterprise | T1566 | .001 | 钓鱼: Spearphishing Attachment |
Snip3 has been delivered to victims through malicious e-mail attachments.[2] |
| .002 | 钓鱼: Spearphishing Link |
Snip3 has been delivered to victims through e-mail links to malicious files.[2] |
||
| Enterprise | T1564 | .003 | 隐藏伪装: Hidden Window | |