Researchers at Fortinet's FortiGuard Labs have uncovered a newly evolved variant of the Snake Keylogger, a type of malicious software notorious for capturing and recording everything a user types. Keyloggers are often used by cybercriminals to steal personal information, such as passwords, credit card numbers, and other sensitive data. This new variant of Snake Keylogger, also known as “404 Keylogger” or “KrakenKeylogger,” is being distributed through phishing campaigns and has been upgraded to exploit specific vulnerabilities, making it even more dangerous.
The attack is initiated by a deceptive phishing email that pretends to be a notification about a financial transaction. FortiGuard Labs’ security systems identified the email, which was flagged with the subject line “[virus detected],” and it contains an attached Excel file named “swift copy.xls.” Although the file may appear harmless, opening it sets off a chain reaction that ultimately leads to the installation of the Snake Keylogger on the recipient's computer.
The Excel file attached to the phishing email is no ordinary spreadsheet—it has been specially crafted to take advantage of a known security vulnerability, CVE-2017-0199. This vulnerability allows attackers to execute code remotely by embedding a malicious link within the file. When the victim opens the document, this hidden link discreetly connects to a remote server, which then delivers a secondary malicious file in the form of an HTA (HTML Application) file. This file, containing obfuscated JavaScript, is executed automatically by the Windows operating system, setting the stage for further malicious actions.
The HTA file is programmed to run a VBScript that initiates the download and execution of a final payload—a malicious executable named “sahost.exe”—from a remote server. This payload, known as the Loader module, is designed with multiple layers of encryption and obfuscation, making it difficult for antivirus software to detect or analyse. Once executed, the Loader module unpacks additional encrypted components, including the main module of the Snake Keylogger, which is hidden within an encrypted Bitmap resource.
The Loader module not only delivers the Snake Keylogger but also ensures that it remains undetected and continues operating on the infected system. It accomplishes this by decrypting and loading several key components into the computer's memory, where they can execute without being noticed. Among these components is a critical module called “Tyrone.dll,” which plays a crucial role in the keylogger’s ability to persist on the victim's system. This persistence is maintained through a scheduled task that launches the keylogger whenever the computer is started.
Once installed, the Snake Keylogger operates stealthily, capturing everything the user types and taking screenshots of their activities. It targets a wide range of applications, including web browsers, email clients, and messaging software, and is capable of extracting saved credentials and other sensitive information from these programs. To avoid detection, the keylogger uses a technique called process hollowing, which involves injecting malicious code into a legitimate process, allowing it to operate without raising alarms.
One of the most concerning features of this keylogger is its ability to send the stolen data directly to the attacker via email. The keylogger uses SMTP to transmit the victim’s credentials and other sensitive information in real-time, enabling the attacker to quickly exploit the data or commit financial theft. Additionally, FortiGuard Labs discovered that this variant of Snake Keylogger employs sophisticated anti-analysis techniques. For example, it can detect if it is being run in a security research environment, in which case it refrains from sending the stolen data, making it harder for researchers to analyse the malware.
To protect against these types of threats, FortiGuard Labs advises caution when it comes to emails from unknown sources, especially those with attachments. It's imperative to keep all software up-to-date and utilise robust security solutions to prevent such attacks. By staying informed and vigilant, individuals and organizations can better protect themselves from this and other emerging cyber threats.
