SnatchLoader
Тhe SnatchLoader is a piece of malware that first surfaced in 2017, and since then, the developers behind it have released several updates aimed at enhancing the payload's features and covertness. The purpose of SnatchLoader is to infect a computer and then deliver a secondary payload based on the operators' instructions. The malware makes use of a basic geo-IP blocking feature, which allows it to filter out its victims based on their geographical location. Usually, malware using this feature checks the victim's IP after infection and stops the attack if it belongs to a country that the attackers want to avoid for some reason. However, this part of the process is handled by the control servers in the case of the SnatchLoader. When the malware communicates with a Command & Control server, it may not receive a response of the victim's IP originates from the United States, France or Hong Kong. It is likely that SnatchLoader's operators are ignoring many other countries too.
SnatchLoader Was Involved in a Massive Ramnit Campaign
The most infamous campaign that the SnatchLoader was involved in dates back to 2017 when the W32.Ramnit banking Trojan was delivered to targets in the United Kingdom and Italy. It is likely that the SnatchLoader Trojan is still being used today, but there is no information about the payloads it uses nowadays.
The SnatchLoader's attack procedure is straightforward, and it includes several connections between the compromised host and the victim's machine. The first network communication aims to filter out IP addresses that the attackers are not interested in. As mentioned earlier, the control server will deny the request if the IP originates from a country that it does not target. If the attack continues, the malware will request different information about the victim's computer – hardware/software, list of processes and programs, operating system architecture, the user's permissions, and more. The next step is executed via a custom command from the perpetrators who will point the SnatchLoader to a payload that needs to be downloaded – it may often be hosted on the control server or an external download location.
First-stage payloads like the SnatchLoader are meant to collect basic information about the compromised system and make sure that it is suitable for a secondary payload that the attackers will choose. Using a reputable anti-virus product can stop threats like the SnatchLoader before they get the opportunity to deploy additional malware.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.