Malware analysis report: SNOWYAMBER (+APT29 related malwares)

This report provides a comprehensive analysis of the SNOWYAMBER dropper, and it’s modifications, a sophisticated piece of malware attributed to the Advanced Persistent Threat group APT29. The group is believed to be tied to the Russian government and has been linked to numerous cyber espionage operations.

Threat actor

APT29, also known as The Dukes or Cozy Bear, is a highly sophisticated and well-resourced cyber espionage group believed to be associated with the Russian government. It has been operating since at least 2008.


While the group’s exact location is unknown, multiple cybersecurity research groups and government agencies attribute APT29 to Russia. Their targets are typically spread across the globe, with a specific focus on government organizations, think-tanks, healthcare organizations, and energy sectors.


APT29 is known for its persistent and evolving tactics, which include a combination of advanced techniques and procedures:

Spear-Phishing: APT29 commonly utilizes spear-phishing campaigns for initial compromise. These usually involve emails with either a malicious attachment or a link to a malicious website. Their spear-phishing attacks often involve the use of legitimate web services, such as Google accounts, to host their payload and seem less suspicious.

Use of Zero-days and Exploits: The group is known to use zero-day exploits as well as known vulnerabilities to infiltrate networks. They were known to exploit vulnerabilities such as CVE-2017-11292 (Adobe Flash), CVE-2017-8759 (.NET Framework), and CVE-2017-0199 (Microsoft Office/WordPad).

Living-off-the-Land Tactics: APT29 frequently employs “living-off-the-land” tactics, where they use legitimate system tools and processes to hide their activities and maintain persistence. For instance, they have been known to use PowerShell for scripting, WMI for persistence, and PsExec for lateral movement.

Custom Malware: The group uses a variety of custom backdoors and droppers, including but not limited to MiniDuke, CosmicDuke, OnionDuke, and CozyDuke. More recently, they have been associated with the WellMess and WellMail malware.

Stealth and Long-term Persistence: APT29 is known for its stealthy operations and ability to maintain a long-term presence on infiltrated networks without detection. They often do so by limiting their activities during the working hours of the target’s local time zone to mimic legitimate users and avoid raising alerts.

Data Exfiltration: APT29 is known for extracting sensitive information from the infiltrated networks. They often do this very slowly and cautiously to avoid detection. The group is believed to be interested in gathering intelligence related to foreign policy, defense, international relations, and similar topics.

Malware features

Through our analysis, we have identified the following notable features of the SNOWYAMBER dropper:

Infection capabilities: The malware is typically introduced to the victim’s machine via spear phishing, hiding in documents that prompt the user to enable macros. (High Confidence)

Capacity for self-preservation: The malware employs anti-analysis and persistence mechanisms, which include obfuscation techniques, disabling security tools, and creating Registry keys to survive reboots. (High Confidence)

Diffusion mechanism: The dropper, upon execution, deploys additional payloads on the infected machine, and may also propagate laterally within the network. (Medium Confidence)

Data exfiltration capabilities: The malware appears capable of collecting system information and sending it to a Command and Control (C2) server. (High Confidence)

C2 mechanisms: The malware uses encrypted HTTP requests for C2 communication. (High Confidence)


Among the malware samples analysed, the most interesting are following.

Three samples are being investigated:

sample.exe – this file is worked for injection:

File size: 205824 bytes
MD5 sum: 109f05770bf8550f71b39ceaffc6e42e
SHA-1 sum: 72b57b47649f145ba341420fa0a4624810c011d9
SHA-256 sum: 287543c235cf68695373d367144c51a0236879e614e8ea4634b82e5336785edc

First of all, check our sample via VirusTotal:

So, 2 of 70 AV engines detect our sample as malicious.

This sample is written in C++ and uses multiple malware development tricks: WinAPI functions call by hash, string obfuscation and encryption, time distortion.

Static analysis

The specified sample is a PE file:

file <sample.exe>
hexdump -C <sample.exe>

Use exiftool for looking metadata:

exiftool <sample.exe>

And we see that file timestamp is 2023-02-25 22:07:22+03.00

Executable sample is not packed by upx:

upx -l <sample.exe>

What about Shannon entropy of the sample:

Analysze with DIE says that the compiler is Microsoft Visual Studio 2019:

dynamic analysis

Contacted IP addresses is:

The main logic starts with the int start function.

Then arbitrary computations are performed: this is a popular sandbox bypass trick. And run switch logic:

Also use WinAPI functions:


Here use an event object to track the TimeRoutine execution, create the timer queue, then set a timer to call the timer routine in 10 seconds.

This implementation sets up asynchronous timers using CreateTimerQueueTimer. Each executes one after the other and does the following tasks: Wait a specific time period.

When executed, the injector reads the resource, decrypts it by RC4 algorithm, allocates memory, copies sections, processes relocks, and transfers control to the entry point.

What about injection technique. It’s PE injection.

All NT API functions are replaced by calling equivalent syscalls from

sample2.exe – this sample is an encryptor:

File size: 214528 bytes
MD5 sum: 107dae5b9c61c962e0d604cd70a1d8ae
SHA-1 sum: 3752be6b162bacb0d7c12b6d122c9dbaf3ad6223
SHA-256 sum: a89150f159c1c9d053365ac38625f783642bc4c16a693cb106d715819acc677b

Check it via VirusTotal:

So, 2 of 70 AV engines detect our sample as malicious.

This encryptor encrypts the payload with the RC4 algorithm, then the result is attached to the injector with the resource.

Encryptor use 2 params: Input file and output file.

Classic RC4 algorithm:

There is a simple reimplementation this logic:

VOID rc4crypt(PBYTE data, PCSTR key, UINT keyLen, UINT dataLen) {
unsigned char* T = (unsigned char*)HeapAlloc(GetProcessHeap(), 0, 256);
unsigned char* S = (unsigned char*)HeapAlloc(GetProcessHeap(), 0, 256);
unsigned char tmp; // to be used in swaping
int j = 0, t = 0, i = 0;

/* S & K initialization */
for (int i = 0; i < 256; i++) {
S[i] = i;
T[i] = key[i % keyLen];

/* State Permutation */
for (int i = 0; i < 256; i++) {
j = (j + S[i] + T[i]) % 256;

//Swap S[i] &amp; S[j]
tmp = S[j];
S[j] = S[i];
S[i] = tmp;

j = 0; // reintializing j to reuse it
for (int x = 0; x < dataLen; x++) {
i = (i + 1) % 256; // using %256 to avoid exceed the array limit
j = (j + S[i]) % 256; // using %256 to avoid exceed the array limit

//Swap S[i] &amp; S[j]
tmp = S[j];
S[j] = S[i];
S[i] = tmp;

t = (S[i] + S[j]) % 256;

data[x] = data[x] ^ S[t]; // XOR generated S[t] with Byte from the plaintext / cipher and append each Encrypted/Decrypted byte to result array


HeapFree(GetProcessHeap(), 0, T);
HeapFree(GetProcessHeap(), 0, S);

The encryption/decryption key is:

PCSTR key = “C2B55923”;

sample3.exe – this sample plays the role of a reverse shell:

File size: 9216 bytes
MD5 sum: 68d957f5fbb2f2078da9059995ece969
SHA-1 sum: 545ccdb7e68c6cef6271698c0815db33625aae03
SHA-256 sum: 6dc1393ccacd031fa0141aa312d55deb2552a7a95c3ae21856c82beb21a554bd

First of all, check our sample via VirusTotal:

So, 14 of 71 AV engines detect our sample as malicious.

More of them detect file as Gen:Heur.Loregun.19.

Contacted IP addresses:

The logic of this sample is pretty simple: create a socket, listen on it, transfer all I/O to the socket.

Malware evasion tricks

RVA to offset:

We restored WinAPI hashing logic:

#define UPCASE(wch)
(((wch) >= ‘a’) && ((wch) <= ‘z’) ?
((wch) + (‘a’-‘A’))

ULONG HashA(PCSTR key, SIZE_T length, ULONG seed) {
ULONG TmpHashValue = 0;
SIZE_T len = length;
while (len– != 0) {
CHAR Char = *key++;
TmpHashValue = (TmpHashValue * 65599) + UPCASE(Char);
TmpHashValue ^= seed;
return TmpHashValue;

ULONG HashW(PCWSTR key, SIZE_T length, ULONG seed) {
ULONG TmpHashValue = 0;
SIZE_T len = length;
while (len– != 0) {
WCHAR Char = *key++;
TmpHashValue = (TmpHashValue * 65599) + UPCASE(Char);
TmpHashValue ^= seed;
return TmpHashValue;

and hashing table:



Sigma rule

title: Remote Thread Creation In Uncommon Target Image
id: a1a144b7-5c9b-4853-a559-2172be8d4a03
– id: f016c716-754a-467f-a39e-63c06f773987
type: obsoletes
status: experimental
description: Detects uncommon target processes for remote thread creation
author: Florian Roth (Nextron Systems)
date: 2022/03/16
modified: 2023/05/05
– attack.defense_evasion
– attack.privilege_escalation
– attack.t1055.003
product: windows
category: create_remote_thread
– ‘calc.exe’
– ‘calculator.exe’
– ‘explorer.exe’
– ‘mspaint.exe’
– ‘notepad.exe’
– ‘ping.exe’
– ‘sethc.exe’
– ‘spoolsv.exe’
– ‘wordpad.exe’
– ‘write.exe’
StartFunction: ‘EtwpNotificationThread’
SourceImage|contains: ‘unknown process’
SourceImage: ‘C:WindowsSystem32csrss.exe’
TargetImage: ‘C:WindowsSystem32spoolsv.exe’
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
– Unknown
level: high


Running code in the context of another process may allow a threat actor to access the process’s memory, system/network resources, and possibly elevated privileges. PE injection is commonly used by malware for persistent infection and evasion of detection.

LoadPE Injection is a technique that involves loading a PE file into the memory of a process. In a typical LoadPE Injection scenario, the following steps occur:

The malware allocates space in its own process for the PE file.
The malware reads the PE file from disk into the allocated space.
The malware resolves import addresses for the PE file.
The malware creates a remote thread in a target process.
The malware injects the PE file into the address space of the target process.
The malware initiates execution of the injected PE file in the target process.

This technique allows malware to avoid many behavioral detection strategies. It allows the malicious PE to be executed without ever being directly loaded or written to the disk, making it more difficult for traditional antivirus software to detect.

As we can see, the technique is not new but is still used in 2023.

We believe that this is either a new modification of Snowyamber or a new Conti style malware family, since any Russian related groups use ContiLeaks. ContiLeaks is a turning point in the cybercrime ecosystem, and in this case, we can expect a lot of changes in how cybercriminal organizations operate.

By Cyber Threat Hunters from MSSPLab:



SNOWYAMBER Malware Analysis Report
Process Injection

Thanks for your time happy hacking and good bye!
All drawings and screenshots are MSSPLab’s

Article Link: Malware analysis report: SNOWYAMBER (+APT29 related malwares) – MSSP Lab

1 post – 1 participant

Read full topic