A new variant of the Snake Keylogger is intensifying its malicious activities, primarily targeting Windows users in countries including China, Turkey, Indonesia, Taiwan, and Spain. According to Fortinet FortiGuard Labs, this malware has been linked to over 280 million blocked infection attempts globally since the beginning of the year.
Snake Keylogger is often disseminated via phishing emails that contain harmful attachments or links. Its primary function is to steal sensitive information from commonly used web browsers like Chrome, Edge, and Firefox. This is achieved through keystroke logging, credential capture, and clipboard monitoring, as outlined by security researcher Kevin Su.
The malware boasts additional capabilities, enabling it to send the stolen data to an attacker-controlled server using protocols like Simple Mail Transfer Protocol (SMTP) and Telegram bots. This allows the malicious actors to easily access compromised credentials and sensitive data.
Recent attacks have innovatively employed the AutoIt scripting language to deliver and execute the main payload, thereby disguising it as a benign executable. This approach complicates traditional detection methods and can embed the threat more deeply within the machine. Su elaborated on the dual challenge this poses, as AutoIt not only obfuscates the malware but also enables it to behave like trustworthy automation software.
Once executed, Snake Keylogger installs itself under the file name “ageless.exe” in the “%Local_AppData%\supergroup” directory and places a Visual Basic Script (VBS) file named “ageless.vbs” in the Windows Startup folder. This setup ensures that the malware automatically activates whenever the system restarts, maintaining its persistence on the compromised device and continuing its destructive activities even after the initial process has been terminated.
The attack concludes with the injection of the main payload into legitimate .NET processes, using a technique known as process hollowing. This method allows the malware to blend into trusted processes like “regsvcs.exe,” thereby significantly reducing the chances of detection.
Interestingly, Snake Keylogger is also known to log keystrokes, leveraging the SetWindowsHookEx API to monitor sensitive inputs, including banking credentials. Recent reports reveal that this malware retrieves the victim’s IP address and geolocation through services like checkip.dyndns[.]org.
In its latest evolution, Snake Keylogger stands as a pertinent example of persistent adversaries employing sophisticated techniques. The use of the MITRE ATT&CK framework clarifies potential tactics employed during this operation, including initial access, persistence mechanisms, and process injection techniques that facilitate stealthy data exfiltration.
Meanwhile, other campaigns have been reported involving compromised educational institutions, distributing malicious LNK files masquerading as PDF documents to deploy the Lumma Stealer malware. Targeting diverse sectors such as finance, healthcare, and technology, these multi-stage sequences result in the theft of critical data, including passwords and cryptocurrency wallets.
As the cybersecurity landscape continues to evolve, understanding these threats becomes imperative for business owners. With the increase in sophisticated attacks like Snake Keylogger and the effective obfuscation techniques used, decision-makers must prioritize proactive measures to safeguard sensitive data and mitigate risks associated with cyber threats.
