SnappyClient Malware
SnappyClient is a highly advanced malware written in C++ and distributed through a loader known as HijackLoader. It functions as a Remote Access Trojan (RAT), enabling cybercriminals to take control of compromised systems and extract sensitive data. Once inside a device, the malware connects to a Command-and-Control (C2) server to receive instructions and execute malicious operations.
Table of Contents
Evasion Techniques and System Manipulation
To remain undetected, SnappyClient interferes with built-in Windows security mechanisms. A key tactic involves tampering with the Antimalware Scan Interface (AMSI), which is responsible for scanning scripts and code for malicious behavior. Instead of allowing AMSI to flag threats, the malware manipulates its output so that harmful activity appears safe.
The malware also relies on an internal configuration list that dictates its behavior. These settings determine what data is collected, where it is stored, how persistence is maintained, and whether execution continues under certain conditions. This configuration ensures that the malware remains active even after system reboots.
Additionally, SnappyClient retrieves two encrypted files from attacker-controlled servers. These files are stored in a concealed format and are used to dynamically control the malware’s functionality on the infected system.
Extensive System Control Capabilities
SnappyClient provides attackers with deep control over compromised devices. It can capture screenshots and transmit them to remote operators, offering direct insight into user activity. The malware also enables full process management, allowing attackers to monitor, suspend, resume, or terminate running processes. Furthermore, it supports code injection into legitimate processes, helping it operate covertly within the system.
File system manipulation is another core capability. The malware can browse directories, create or delete files and folders, and perform operations such as copying, moving, renaming, compressing, or extracting archives, even those protected with passwords. It can also execute files and analyze shortcuts.
Data Theft and Surveillance Functions
A major objective of SnappyClient is data exfiltration. It includes a built-in keylogger that records keystrokes and sends the captured data to attackers. Beyond that, it extracts a wide range of sensitive information from browsers and other applications, including login credentials, cookies, browsing history, bookmarks, session data, and extension-related information.
The malware can also search for and steal specific files or directories based on attacker-defined filters such as file names or paths. In addition to exfiltration, it is capable of downloading files from remote servers and storing them locally on the infected machine.
Advanced Execution and Exploitation Features
SnappyClient supports multiple methods for executing malicious payloads. It can run standard executable files, load dynamic-link libraries (DLLs), or extract and execute content from archived files. It also allows attackers to define execution parameters such as working directories and command-line arguments. In some cases, it attempts to bypass User Account Control (UAC) to gain elevated privileges.
Other notable features include the ability to launch hidden browser sessions, enabling attackers to monitor and manipulate web activity without user awareness. It also provides a command-line interface for executing system commands remotely. Clipboard manipulation is another dangerous function, often used to replace cryptocurrency wallet addresses with those controlled by attackers.
Targeted Applications and Data Sources
SnappyClient is designed to extract information from a wide range of applications, particularly web browsers and cryptocurrency tools.
Targeted web browsers include:
360 Browser, Brave, Chrome, CocCoc, Edge, Firefox, Opera, Slimjet, Vivaldi, and Waterfox
Targeted cryptocurrency wallets and tools include:
Coinbase, Metamask, Phantom, TronLink, TrustWallet
Atomic, BitcoinCore, Coinomi, Electrum, Exodus, LedgerLive, TrezorSuite, and Wasabi
This broad targeting significantly increases the potential for financial theft and credential compromise.
Deceptive Distribution Methods
SnappyClient is primarily spread through deceptive delivery techniques designed to trick users into executing malicious files. One common method involves fake websites that impersonate legitimate telecommunications companies. When visited, these sites silently download HijackLoader onto the victim’s device. If executed, the loader deploys SnappyClient.
Another распространенный tactic leverages social media platforms such as X (better known as Twitter). Attackers post links or instructions that lure users into initiating downloads, sometimes using techniques like ClickFix. These actions ultimately lead to the execution of HijackLoader and the installation of the malware.
The Risks and Impact of Infection
SnappyClient represents a serious cybersecurity threat due to its stealth, versatility, and extensive capabilities. Once deployed, it enables attackers to monitor user activity, steal sensitive information, manipulate system operations, and execute additional malicious payloads.
The consequences of such infections can be severe, including account hijacking, identity theft, financial losses, further malware infections, and long-term system compromise.
