Snake Keylogger Variant
A fresh variant of the Snake Keylogger is actively targeting Windows users across China, Turkey, Indonesia, Taiwan and Spain. Researchers have tracked this new version and linked it to an alarming 280 million infection attempts worldwide since the beginning of the year, highlighting its widespread impact.
Table of Contents
The Phishing Trap: How the Snake Keylogger Spreads
The primary delivery method for the Snake Keylogger remains phishing emails embedded with threatening attachments or links. The malware gains access to the systems of unsuspecting users once they interact with these deceptive emails. It focuses on harvesting sensitive data from widely used Web browsers such as Chrome, Edge and Firefox. It achieves this by recording keystrokes, capturing login credentials and monitoring clipboard activity.
Exfiltrating Data Through Unconventional Channels
The Snake Keylogger doesn't stop at harvesting information—it ensures the stolen data reaches the attackers through unconventional channels. The exfiltrated credentials and sensitive details are transmitted through the Simple Mail Transfer Protocol (SMTP) or Telegram bots. By utilizing these methods, the malware maintains a steady flow of stolen information to attacker-controlled servers, bypassing some traditional security measures.
AutoIt: A Clever Evasion Technique
What sets this latest wave of attacks apart is the use of the AutoIt scripting language to execute the primary payload. The malware is embedded within an AutoIt-compiled binary, allowing it to evade traditional detection mechanisms. This approach not only makes static analysis more challenging but also enables dynamic behavior that closely mimics legitimate automation tools, further masking its presence.
Establishing Persistence on Compromised Systems
Once executed, the Snake Keylogger ensures it remains active on the infected system. It drops a copy of itself as 'ageless.exe' in the '%Local_AppData%\supergroup' directory. To strengthen its foothold, it also places a Visual Basic Script (VBS) file named 'ageless.vbs' in the Windows Startup folder. This ensures that every time the system reboots, the malware automatically relaunches, allowing it to persist even if its processes are terminated.
Process Hollowing: Hiding in Plain Sight
The final stage of the attack involves injecting the primary payload into a legitimate .NET process, such as 'regsvcs.exe,' using a technique known as process hollowing. By doing so, the Snake Keylogger is able to operate under the guise of a trusted process, making it significantly more challenging to detect.
Logging Keystrokes and Tracking Victims
Beyond credential theft, the Snake Keylogger also monitors user activity by logging keystrokes. It leverages the SetWindowsHookEx API with the WH_KEYBOARD_LL flag (flag 13), a low-level keyboard hook designed to capture keystrokes. This method enables it to record sensitive input, including banking details and passwords. Additionally, the malware uses external services like checkip.dyndns.org to determine the victim's IP address and geolocation, further enhancing its data collection capabilities.
A Persistent and Evolving Threat
The resurgence of the Snake Keylogger underscores the evolving nature of cyber threats. By leveraging new techniques such as AutoIt scripting and process hollowing, it continues to evade detection while compromising vast numbers of systems. Staying informed about its methods and exercising caution when handling emails remain crucial in mitigating the risks associated with this persistent threat.
