Researchers have identified a sophisticated phishing campaign using a .NET-based Snake Keylogger variant. This attack uses weaponized Excel files to compromise Windows systems, posing serious risks to data security.
Snake Keylogger
Snake Keylogger, also known as “404 Keylogger” or “KrakenKeylogger,” is a .NET-based malware designed to steal sensitive data like credentials, clipboard content, and device info. It also logs keystrokes and captures screenshots, making it a powerful tool for cybercriminals.
Fortinet’s FortiGuard Labs revealed that the attack starts with a phishing email, luring recipients to open an attached Excel file titled “swift copy.xls.” The email falsely claims funds have been transferred to the recipient’s account. Despite a “[virus detected]” warning in the subject line from FortiGuard, some users may still be deceived.
The Malicious Excel Document
When the Excel file is opened, hidden malicious code runs in the background. It exploits the CVE-2017-0199 vulnerability using an embedded link to download more malware. This process occurs covertly, with Excel silently accessing a URL that triggers further downloads.
The attack proceeds by downloading an HTA file, which is run by the Windows application host (mshta.exe). This file contains obfuscated JavaScript that, when decoded, reveals VBScript and PowerShell scripts. These scripts then download and execute the Snake Keylogger’s loader module, a key part of the attack.
The Loader Module
The Loader module, built with the .NET Framework, uses multi-layered protection techniques like transformation and encryption to evade detection. It decrypts and extracts components needed to deploy the core Snake Keylogger module.
Deploy Module and Persistence
The Deploy module, extracted from the Loader, ensures Snake Keylogger’s persistence by renaming and hiding the Loader file, creating a startup task, and using process hollowing to inject malicious code into a new process.
The Snake Keylogger attack underscores the need for strong cybersecurity as cybercriminals evolve their tactics.
Users and organizations should use up-to-date antivirus software, be cautious with email attachments, and prioritize awareness and education to protect sensitive data.
The .NET-based Snake Keylogger attack via Excel documents poses a serious threat to Windows users. Understanding the attack and using proactive security measures can help individuals and organizations stay protected.
IOCs
hxxp://urlty[.]co/byPCO
hxxp[:]//192.3.176[.]138/xampp/zoom/107.hta
hxxp[:]//192.3.176[.]138/107/sahost.exe
Relevant Sample SHA-256
[swift copy.xls]
8406A1D7A33B3549DD44F551E5A68392F85B5EF9CF8F9F3DB68BD7E02D1EABA7
[107.hta]
6F6A660CE89F6EA5BBE532921DDC4AA17BCD3F2524AA2461D4BE265C9E7328B9
[The Loader module/sahost.exe / WeENKtk.exe / utGw.exe]
484E5A871AD69D6B214A31A3B7F8CFCED71BA7A07E62205A90515F350CC0F723
[Snake Keylogger core module / lfwhUWZlmFnGhDYPudAJ.exe]
207DD751868995754F8C1223C08F28633B47629F78FAAF70A3B931459EE60714
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment