Snake Keylogger Targeting Browsers

The Snake Keylogger campaign has evolved, introducing a new variant that specifically targets popular web browsers such as Google Chrome, Microsoft Edge, and Mozilla Firefox. This sophisticated malware employs advanced evasion techniques to steal sensitive data from these browsers.

Overview of the Snake Keylogger Campaign

Emergence and Tactics

• Target Audience: The campaign targets Windows users, with a focus on individuals in countries such as China, Turkey, Indonesia, Taiwan, and Spain. The geographical distribution suggests a widespread and systematic approach by the attackers.
• Phishing Techniques: Attackers leverage phishing emails containing malicious attachments or links. These emails are crafted to deceive recipients into executing the malicious payload by appearing as legitimate communications from trusted sources.

Infection Chain

Initial Infection

• Malicious Attachments: The initial infection vector is typically a phishing email with a malicious attachment or link. The attachment is an AutoIt-compiled binary named “ageless.exe,” which is designed to evade traditional detection mechanisms. AutoIt scripts are often used to automate tasks, making them less suspicious to antivirus software.
• AutoIt Scripting: The use of AutoIt scripting complicates static analysis by embedding the payload within the compiled script. This technique enables dynamic behavior that mimics benign automation tools, making detection challenging for traditional security solutions.

Persistence Mechanism

• VBScript for Persistence: Once executed, Snake Keylogger drops a file named “ageless.vbs” in the Windows Startup folder. This Visual Basic Script (VBS) ensures that the malware automatically launches every time the system reboots, maintaining persistence.
• Process Hollowing: The malware injects its main payload into a legitimate .NET process, such as “regsvcs.exe,” using a technique called process hollowing. This allows the malware to conceal its presence within a trusted process and evade detection. Process hollowing involves creating a new process in a suspended state, replacing its code with malicious code, and then resuming the process.

Keylogger Functionality

Keystroke Logging

• SetWindowsHookEx API: Snake Keylogger leverages the SetWindowsHookEx API with the WH_KEYBOARD_LL flag to capture keystrokes. This low-level keyboard hook monitors keystrokes in real-time, allowing the malware to log sensitive input such as banking credentials, passwords, and other confidential information.
• Clipboard Monitoring: In addition to keystroke logging, the malware also monitors the clipboard to capture copied data, including credentials and other sensitive information. Clipboard data can include passwords, credit card numbers, and other critical information.

Browser-Specific Targeting

Data Extraction from Browsers

• Saved Passwords and Autofill Data: Snake Keylogger actively monitors browser data, accessing folders that store saved credentials and autofill information, including credit card details. This data is typically stored in encrypted format, but the malware can decrypt it using browser-specific methods.
• Browser-Specific Attacks: The malware targets specific browser processes to extract sensitive information. This includes stealing saved passwords, browsing history, cookies, and other personal data stored within the browsers. The malware may use various techniques to extract and exfiltrate this data.

Data Exfiltration

Exfiltration Channels

• SMTP and Telegram Bots: Stolen data is exfiltrated to an attacker-controlled server using the Simple Mail Transfer Protocol (SMTP) and Telegram bots. These channels allow threat actors to access stolen credentials and other sensitive data without raising immediate suspicion.
• Geolocation: The malware contacts websites like checkip.dyndns.org to retrieve the victim’s IP address and geolocation, enhancing attacker reconnaissance. This information can be used to tailor further attacks or evade region-specific detection mechanisms.

Indicators of Compromise (IoCs)

• Suspicious Email Attachments: Look out for email attachments named “ageless.exe” or similar. Such attachments should be treated with caution and avoided.
• Unusual Network Traffic: Monitor for unusual network traffic involving SMTP and Telegram communication. This may indicate data exfiltration attempts.
• Executable Presence: Be aware of the presence of executables like “ageless.exe” and scripts like “ageless.vbs” on systems. These files are indicative of the malware’s presence and should be investigated.

Mitigation Measures

Immediate Actions

• Educate Users: Conduct regular cybersecurity awareness training to educate users about the risks of phishing and how to recognize suspicious emails.
• Email Filtering: Implement advanced email filtering solutions to detect and block phishing emails with malicious attachments.
• Antivirus and Endpoint Protection: Ensure that antivirus and endpoint protection solutions are up-to-date and capable of detecting and blocking malicious documents and executables.

Long-Term Strategies

• Regular Security Audits: Conduct regular security audits and vulnerability assessments to identify and address potential weaknesses in the IT infrastructure.
• Network Segmentation: Implement network segmentation to limit the spread of malware within the network and isolate critical systems.
• Behavioral Analysis: Deploy behavioral analysis tools to monitor for unusual system behavior and network traffic patterns indicative of a compromise.
• Incident Response Planning: Develop and maintain a comprehensive incident response plan to quickly and effectively respond to security incidents. Regularly test and update the plan to ensure readiness.

Final Thoughts

The latest Snake Keylogger campaign highlights the evolving tactics of cybercriminals and the increasing sophistication of phishing schemes. By leveraging AutoIt scripting and advanced evasion techniques, attackers have successfully deployed a persistent keylogger that captures sensitive information from popular web browsers and exfiltrates it to remote servers. It is crucial for individuals and organizations to remain vigilant and implement robust cybersecurity measures to protect against such threats.