HQ/EMEAFind out how we can help your business
A newly discovered malicious campaign is using the SnakeKeylogger as an information-stealing malware. This sophisticated tool is notorious for its innovative methods and ability to avoid detection.
Moreover, the research for this campaign highlights the malware’s multi-stage infection chain and covert in-memory execution, which are intended to harvest sensitive data from unsuspecting victims.
The researchers also noted that the infection vector of the campaign is equally misleading and effective. Victims get infected spam emails with.img attachments, which, when viewed, mount a virtual disk.
Additionally, this initial program serves as both a downloader and a loader. Upon execution, it connects to a remote Apache server and retrieves what looks to be a media file. This media file commonly includes a [.]mp3, but behind it is the hostile payload.
Rather than a media stream, the malware obtains an encoded payload that is dynamically decoded in memory.
Using a simple decryption method that subtracts three from each byte, the downloader reconstructs a secondary payload, a highly obfuscated [.]NET-based DLL. This DLL is injected into legitimate system processes using process hollowing.
SnakeKeylogger injects its venom after a successful intrusion.
SnakeKeylogger activates its core capabilities after being injected. One of these capabilities includes stealing credentials and system information.
Malware developers have also designed this tool to extract Wi-Fi configuration data, browser credentials, email account settings, and other information.
Furthermore, it can penetrate systems, allowing it to target a wide range of applications and browsers, such as Chrome, Edge, Firefox, Brave, Opera, and even specialised versions such as Citrio, Torch, and Kinza.
The researchers also suspect that the campaign is an extension of a larger Malware-as-a-Service (MaaS) operation. The Apache server at 103.72.56.30 hosts a directory, which the attackers constantly update with new payloads.
This technique ensures the lifespan and adaptability of the malware, allowing attackers to evolve quicker than defenders can respond.
SnakeKeylogger is more than just another data theft tool since it is a modular and evasive tool that actively maintains threats and adapts to modern security measures. Its ad emphasises the growing sophistication of malware propagation tactics and the significance of multi-layered defensive strategies.
