A new variant of the Snake Keylogger malware actively targets Windows users in China, Turkey, Indonesia, Taiwan, and Spain. According to Fortinet FortiGuard Labs, this version has caused over 280 million blocked infection attempts globally since the start of the year.
Delivery and Evasion Techniques
Attackers typically deliver the Snake Keylogger through phishing emails containing malicious attachments or links. Consequently, this malware captures sensitive information from popular web browsers like Chrome, Edge, and Firefox by logging keystrokes, capturing user credentials, and monitoring clipboard activity. Notably, the latest attacks stand out because they use the AutoIt scripting language to deliver and execute the main payload. By compiling the executable with AutoIt, the malware can evade traditional detection methods, which complicates static analysis and allows it to mimic benign automation tools.
Persistence and Concealment
Once executed, the Snake Keylogger creates a copy of itself named “ageless.exe” in the “%Local_AppData%\supergroup” directory. Additionally, it places a file called “ageless.vbs” in the Windows Startup folder. This setup ensures that the Visual Basic Script (VBS) runs automatically with each system reboot, thereby allowing the malware to maintain access to the compromised system. Furthermore, the attack sequence culminates in the injection of the main payload into a legitimate .NET process, such as “regsvcs.exe.” Attackers use a technique called process hollowing to conceal the malware’s presence effectively.
Data Theft and Related Campaigns
Moreover, the Snake Keylogger can log keystrokes and retrieve the victim’s IP address and geolocation through websites like checkip.dyndns[.]org. To capture keystrokes, it employs the SetWindowsHookEx API with the WH_KEYBOARD_LL flag, which allows it to monitor sensitive inputs, including banking credentials. In a related development, CloudSEK reported a campaign that exploits compromised infrastructure linked to educational institutions. This campaign distributes malicious LNK files disguised as PDF documents to deploy the Lumma Stealer malware.
Sources
