Ddos 
A new technical analysis by Darktrace has peeled back the layers of SnappyBee (also known as Deed RAT), a sophisticated modular backdoor attributed to the China-linked threat group Salt Typhoon (Earth Estries).
The analysis serves as a masterclass in malware reverse engineering, exposing how advanced persistent threats (APTs) are moving toward “highly modular and low-friction malware toolkits” to evade detection and maintain long-term persistence.
SnappyBee is not a “smash and grab” tool; it is a phantom designed for post-compromise entrenchment. Darktrace notes that the malware is typically deployed “after the attacker has already obtained access to a customer’s system, and is used to establish long-term persistence as well as deploying further malware such as Cobalt Strike and the Demodex rootkit”.
To stay hidden, SnappyBee employs a “custom packing routine”—a technique used to obscure the malicious payload by hiding it inside a shell of innocent-looking code.
One of its cleverest tricks is DLL side-loading. The malware package includes a “legitimate signed executable that is vulnerable to DLL side-loading”. When this safe program runs, it inadvertently loads the malicious SnappyBee DLL instead of the real one. This sleight of hand allows the malware to “appear more legitimate to antivirus solutions,” blending in with authorized system processes.
The analysis reveals a complex chain of events once the malware executes. Rather than simply running its payload, SnappyBee performs a delicate surgical operation on the system’s memory.
It dynamically resolves Windows APIs like VirtualProtect and StartServiceCtrlDispatcherW at runtime to avoid leaving static fingerprints. It then “hooks” the dispatcher function, redirecting the legitimate executable’s control flow back to the malware.
“The hooked-in function then reads the data file that is shipped with SnappyBee and loads it into a new memory allocation,” the report explains.
Once loaded, the malware uses the ARC4 cipher (via the mbedtls library) to decrypt its core payload in memory. By keeping the malicious code encrypted until the very last millisecond, SnappyBee reduces its “forensic ‘surface area’ of the malware, helping it to evade detection from anti-malware solutions”.
For security operations centers (SOCs), threats like SnappyBee represent a significant challenge. Relying on static hash-based detections is no longer enough when the malware constantly changes its shape.
The Darktrace analysis underscores the vital need for analysts to develop deep technical capabilities, such as manual unpacking and dynamic debugging. As the report concludes, “Without the technical capability to reliably unpack and observe these samples, organizations are forced to respond without the full picture”.
By dissecting these toolkits, defenders can move from reactive cleanup to proactive defense, reducing dwell time and identifying the “behavior-based indicators” that betray even the most stealthy intruder.
Related Posts:
- QakBot Returns with Evasive Tactics, Posing Renewed Threat
- Salt Typhoon: China’s State-Sponsored Espionage Group Infiltrates Global Telecoms for Long-Term Cyber Warfare
- Unmasking Salt Typhoon: A Report Exposes 45 New Domains from a Chinese APT Group
- FCC Takes Action to Strengthen Cybersecurity in Response to Salt Typhoon Cyberattack
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
