Technical Analysis of SnappyClient | ThreatLabz

Key Takeaways

• SnappyClient is a new C++-based C2 framework implant delivered via HijackLoader, primarily targeting cryptocurrency assets.
• It employs advanced evasion techniques including AMSI bypass, Heaven's Gate, direct system calls, and transacted hollowing.
• The malware uses a custom network communication protocol encrypted with ChaCha20-Poly1305.
• It bypasses Chromium's App-Bound Encryption by instantiating the IElevator COM interface via transacted hollowing to steal browser data.
• SnappyClient receives dynamic configuration files (EventsDB and SoftwareDB) to dictate conditional actions and target specific applications for data theft.

Affected Systems

• Windows OS
• Chromium-based browsers
• Mozilla-based browsers
• Cryptocurrency wallets (Coinbase, Metamask, Phantom, etc.)

Attack Chain

The attack begins with a phishing page impersonating Telefónica or via ClickFix campaigns, delivering a HijackLoader executable. Once executed, HijackLoader decrypts and loads the SnappyClient payload into memory using transacted hollowing and direct system calls. SnappyClient establishes persistence via scheduled tasks or registry run keys, bypasses AMSI, and connects to its C2 server using a custom ChaCha20-Poly1305 encrypted protocol. It then receives configuration files (EventsDB and SoftwareDB) to monitor the clipboard for cryptocurrency addresses, steal browser credentials (bypassing Chromium App-Bound Encryption), and provide remote access via hidden VNC/proxies.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide specific detection rules (YARA, Sigma, etc.), but offers Python scripts for configuration decryption on the ThreatLabz GitHub repository.

Detection Engineering Assessment

EDR Visibility: Medium — SnappyClient uses direct system calls, Heaven's Gate, and transacted hollowing which can evade user-mode API hooks, reducing visibility for some EDRs. However, scheduled task creation, registry modifications, and cross-process injection into browsers for IElevator COM instantiation may be detected. Network Visibility: Low — Network traffic is heavily encrypted using a custom ChaCha20-Poly1305 protocol over TCP, making payload inspection difficult without the specific session keys. Detection Difficulty: Hard — The combination of AMSI patching, direct system calls, transacted hollowing, and custom encrypted C2 communications makes behavioral and network detection challenging.

Required Log Sources

• Process Creation (Event ID 4688 / Sysmon 1)
• Registry Events (Sysmon 12, 13, 14)
• Scheduled Task Activity (Event ID 4698)
• Image Load (Sysmon 7)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for unexpected processes instantiating the IElevator COM interface, which may indicate an attempt to bypass Chromium App-Bound Encryption.	COM Object Instantiation / Process Execution	Credential Access	Low
Monitor for processes creating scheduled tasks that trigger on user logon where the task path points to the current process executable, especially from temporary or user profile directories.	Scheduled Tasks	Persistence	Medium
Hunt for processes loading amsi.dll followed by suspicious memory modifications or anomalous API calls, indicating potential AMSI patching.	Image Load / Memory	Defense Evasion	Medium

Control Gaps

• User-mode API hooking (bypassed via Heaven's Gate and direct syscalls)
• AMSI (bypassed via LoadLibraryExW hooking)

Key Behavioral Indicators

• Transacted hollowing patterns
• IElevator COM interface usage by non-browser processes
• Scheduled tasks pointing to user-space executables triggering on logon

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Block known HijackLoader and SnappyClient delivery domains/IPs if available from threat intel feeds.
• Isolate endpoints showing signs of transacted hollowing or unexpected IElevator COM usage.

Infrastructure Hardening

• Implement application control to prevent execution of unapproved binaries from user profile directories.
• Restrict the creation of scheduled tasks by standard users.

User Protection

• Deploy EDR solutions capable of detecting direct system calls and Heaven's Gate evasion techniques.
• Enable hardware-backed credential protection features where available.

Security Awareness

• Train users to identify phishing pages, particularly those impersonating telecom providers like Telefónica or software updates (ClickFix).
• Educate users on the risks of downloading executables from untrusted sources.

MITRE ATT&CK Mapping

• T1566 - Phishing
• T1204.002 - User Execution: Malicious File
• T1562.001 - Impair Defenses: Disable or Modify Tools
• T1140 - Deobfuscate/Decode Files or Information
• T1027 - Obfuscated Files or Information
• T1055 - Process Injection
• T1555 - Credentials from Password Stores
• T1539 - Steal Web Session Cookie
• T1053.005 - Scheduled Task/Job: Scheduled Task
• T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
• T1010 - Application Window Discovery
• T1057 - Process Discovery
• T1082 - System Information Discovery
• T1083 - File and Directory Discovery
• T1056.001 - Input Capture: Keylogging
• T1113 - Screen Capture
• T1115 - Clipboard Data
• T1573 - Encrypted Channel
• T1041 - Exfiltration Over C2 Channel

Additional IOCs

• Registry Keys:
  • Software\Microsoft\Windows\CurrentVersion\Run - Used for registry-based persistence.
• File Paths:
  • amsi.dll - Targeted for AMSI bypass via LoadLibraryExW hooking.
• Command Lines:
  • Purpose: Execute payload as a DLL | Tools: rundll32.exe | Stage: Execution | rundll32.exe
• Other:
  • {COMPUTERNAME}{USERNAME} - Format string used to generate the named shared memory and mutex for single-instance checking.