Analytics Story: SnappyBee

Date: 2025-02-07 ID: 99f066e0-2492-45ed-acb4-a42abbd585fd Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

SnappyBee is a stealthy malware variant designed to exfiltrate sensitive data while evading traditional security measures. It primarily spreads through phishing emails, malicious attachments, and drive-by downloads. Once executed, SnappyBee establishes persistence by modifying system registries and injecting malicious code into legitimate processes. It employs advanced obfuscation techniques to avoid detection, including polymorphic encryption and sandbox evasion. The malware actively monitors user activities, capturing credentials, keystrokes, and network traffic before transmitting the stolen data to a remote command-and-control (C2) server. This analytic story is designed to detect possible mitre attack tatics and technique related to SnappyBee malware.

Why it matters

SnappyBee emerged as a highly evasive malware designed for data theft and espionage. Initially spotted in targeted phishing campaigns, it quickly gained notoriety for its stealth and adaptability. Cybersecurity researchers found that SnappyBee disguises itself as legitimate software, infecting systems through malicious email attachments, compromised websites, and software cracks. Once activated, it burrows deep into the system, modifying registries and injecting code into trusted processes to remain undetected. Advanced evasion techniques, such as polymorphic encryption and sandbox detection, make traditional signature-based security ineffective. SnappyBee’s primary goal is to steal credentials, keystrokes, and network data, transmitting them to remote attackers. Continuous monitoring and proactive threat intelligence remain crucial to counter this evolving cyber menace.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Detect Rare Executables User Execution Anomaly
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Executables Or Script Creation In Temp Path Masquerading Anomaly
Non Chrome Process Accessing Chrome Default Dir Credentials from Web Browsers Anomaly
Non Firefox Process Access Firefox Profile Dir Credentials from Web Browsers Anomaly
Registry Keys Used For Persistence Registry Run Keys / Startup Folder TTP
Windows Access Token Manipulation SeDebugPrivilege Create Process with Token Anomaly
Windows Anonymous Pipe Activity Inter-Process Communication Hunting
Windows Credential Access From Browser Password Store Query Registry Anomaly
Windows Credentials from Password Stores Chrome LocalState Access Query Registry Anomaly
Windows Credentials from Password Stores Chrome Login Data Access Query Registry Anomaly
Windows Process Execution From ProgramData Match Legitimate Name or Location Anomaly
Windows Query Registry Browser List Application Query Registry Anomaly
Windows Service Creation on Remote Endpoint Windows Service TTP
Windows Service Creation Using Registry Entry Services Registry Permissions Weakness Anomaly
Windows SnappyBee Create Test Registry Modify Registry TTP
Windows Suspicious Process File Path Create or Modify System Process, Match Legitimate Name or Location TTP
Windows Svchost.exe Parent Process Anomaly Break Process Trees Anomaly
Windows Unsigned DLL Side-Loading In Same Process Path DLL Side-Loading TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 17 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 18 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4663 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4703 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 1