Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Snake Keylogger. Show all posts

New Version of Snake Keylogger Targets Victims Through Phishing Emails


Researchers at Fortinet's FortiGuard Labs have uncovered a newly evolved variant of the Snake Keylogger, a type of malicious software notorious for capturing and recording everything a user types. Keyloggers are often used by cybercriminals to steal personal information, such as passwords, credit card numbers, and other sensitive data. This new variant of Snake Keylogger, also known as “404 Keylogger” or “KrakenKeylogger,” is being distributed through phishing campaigns and has been upgraded to exploit specific vulnerabilities, making it even more dangerous.

The attack is initiated by a deceptive phishing email that pretends to be a notification about a financial transaction. FortiGuard Labs’ security systems identified the email, which was flagged with the subject line “[virus detected],” and it contains an attached Excel file named “swift copy.xls.” Although the file may appear harmless, opening it sets off a chain reaction that ultimately leads to the installation of the Snake Keylogger on the recipient's computer.

The Excel file attached to the phishing email is no ordinary spreadsheet—it has been specially crafted to take advantage of a known security vulnerability, CVE-2017-0199. This vulnerability allows attackers to execute code remotely by embedding a malicious link within the file. When the victim opens the document, this hidden link discreetly connects to a remote server, which then delivers a secondary malicious file in the form of an HTA (HTML Application) file. This file, containing obfuscated JavaScript, is executed automatically by the Windows operating system, setting the stage for further malicious actions.

The HTA file is programmed to run a VBScript that initiates the download and execution of a final payload—a malicious executable named “sahost.exe”—from a remote server. This payload, known as the Loader module, is designed with multiple layers of encryption and obfuscation, making it difficult for antivirus software to detect or analyse. Once executed, the Loader module unpacks additional encrypted components, including the main module of the Snake Keylogger, which is hidden within an encrypted Bitmap resource.

The Loader module not only delivers the Snake Keylogger but also ensures that it remains undetected and continues operating on the infected system. It accomplishes this by decrypting and loading several key components into the computer's memory, where they can execute without being noticed. Among these components is a critical module called “Tyrone.dll,” which plays a crucial role in the keylogger’s ability to persist on the victim's system. This persistence is maintained through a scheduled task that launches the keylogger whenever the computer is started.

Once installed, the Snake Keylogger operates stealthily, capturing everything the user types and taking screenshots of their activities. It targets a wide range of applications, including web browsers, email clients, and messaging software, and is capable of extracting saved credentials and other sensitive information from these programs. To avoid detection, the keylogger uses a technique called process hollowing, which involves injecting malicious code into a legitimate process, allowing it to operate without raising alarms.

One of the most concerning features of this keylogger is its ability to send the stolen data directly to the attacker via email. The keylogger uses SMTP to transmit the victim’s credentials and other sensitive information in real-time, enabling the attacker to quickly exploit the data or commit financial theft. Additionally, FortiGuard Labs discovered that this variant of Snake Keylogger employs sophisticated anti-analysis techniques. For example, it can detect if it is being run in a security research environment, in which case it refrains from sending the stolen data, making it harder for researchers to analyse the malware.

To protect against these types of threats, FortiGuard Labs advises caution when it comes to emails from unknown sources, especially those with attachments. It's imperative to keep all software up-to-date and utilise robust security solutions to prevent such attacks. By staying informed and vigilant, individuals and organizations can better protect themselves from this and other emerging cyber threats.




Here's all you Need to Know About Snake Keylogger


In this age of ever-evolving technological developments, crime pertaining to the same is also emerging at a higher scale. One of the most talked about and harsh cybercrimes are data breaches. 

In today’s world, a cybercriminal is capable of stealing data and money with the help of a number of malwares, including keyloggers. 

Snake Keylogger is a well-known example of this kind of malware. However, where did Snake Keylogger originate from, how did it operate, and how could you get rid of it? Here is all you need to know about Snake Keylogger. 

What Is Snake Keylogger? 

In order to get an idea of Snake Keylogger, let us first understand what keyloggers are in general. 

Keylogger is the kind of malicious program used in logging keystrokes. If your device is infected, the keylogger will record anything you input on the keyboard, including passwords, text messages, payment information, and just about anything else. Essentially, Snake Keylogger is a modular malware program, created by using the .NET developer platform. 

With this logging, the malicious operator is able to acquire access over controlling the program, it may as well be able to see what a user is typing into his or her device and even take screenshots, giving them an opportunity to steal a great heap of data.  

Discovered in November 2020, it has a history of stealing credentials, clipboard data, and other types of information. Snake Keylogger, a dangerous product that may be purchased on malicious markets like hacking forums, poses a threat to both individuals and companies.

How Does Snake Keylogger Operate? 

Snake Keylogger usually spreads through phishing campaigns, targeting victims with malicious mail. However, it can also be transmitted via spear phishing, where specific victims are targeted for specific goals. When a Snake Keylogger is sent to a potential victim, it is enclosed in an attachment. 

Once received, the user is asked to open a DOCX file. This file may contain a macro (a computer virus), that permits the launch of Snake Keylogger. In case the recipient possesses a version of Microsoft Office with security vulnerabilities, the malware tends to exploit them and infect the device. The same could be intended for PDF readers. 

The malware holds the capability of gaining access to recorded data and transferring the same to the attacker, who can exploit it further. The data can either be exploited directly (by hacking bank accounts with stolen credentials) or sell the information to other threat actors in illicit marketplaces, on the dark web. 

One of the other reasons why Snake Keyloggers possess threats is their ability to evade antivirus protection, which usually stands as the first line of defense for most devices. In many cases, devices only possess antivirus as their source of protection, thus if Snake Keylogger succeeds in evading the software with no other protection in place, the targeted device could easily and quickly be infected and exploited. 

How to Protect Yourself from Snake Keylogger? 

To avoid Snake Keylogger, one can opt for a number of measures: 

  • The first is by installing antivirus software on their devices. While Snake Keylogger can sometimes avoid detection by antivirus software, it is crucial to have a reliable and efficient antivirus provider installed on your devices in order to identify keyloggers and other types of malware. 
  • Additionally, one must always exercise caution when opening any email attachments, particularly those from unknown or dubious senders. The distribution of malware via attachments is fairly prevalent, and Snake Keylogger is only one of many examples. Consider passing an email attachment via an attachment scanner to identify any potential risks if you ever receive one from a sender you do not fully trust. 
  • To avoid fraudulent emails, one should make sure to enable their email provider’s spam filter. This way, the suspicious emails will be sent to a separate folder, rather than the main inbox. 
  • Moreover, one must ensure to frequently update their operating systems as well as the installed apps. Since Snake Keylogger infects devices by exploiting software flaws, frequent updates will iron out these flaws, meaning cybercriminals can no longer be able to abuse the software.  

Snake Keylogger is Back, Targets IT Corporates


Snake Keylogger tracks keystrokes 

Snake Keylogger is back again with a brand new malspam campaign distributing through phishing mails sent to corporate firms' managers. Bitdefender Antispam Labs found the campaign on 23 August 2022. 

A Keylogger is a kind of malicious software that keeps record of your keystrokes and forwards it to hackers. 

Keyloggers can be deployed in your system without you knowing, generally through a malicious infected website or email attachment. 

In few cases, the hackers may use a physical Keylogger on your computer that maybe like a malicious USB drive or customised phone charging cable. 

Campaign Details

As per the Bitdefender experts, the IP addresses used in the attack came from Vietnam, while the campaigns main targets were in USA, and over 1000 inboxes have received the phishing emails. 

Threat actors leverage the corporate profile of Qatar's one of the leading IT and cloud services providers to lure victims into clicking a ZIP archive. The archive includes an executable file named “CPMPANY PROFILE.exe.”

As per Bitdefender blogpost, the file installs the malicious Snake Keylogger payload on the victim system's host. The data is extracted through SMTP. 

About Snake Keylogger

It is an infamous info and credential stealing malware that steals sensitive information from victim's device. It has keyboard logging and screenshot capturing capabilities. It is a major threat to organizations due to its surveillance and data stealing capabilities.

Besides this, it can steal info from system keyboards. It is also known as 404 Keylogger. The malware came out in 2020 and can be found at underground forums/message boards for hundred dollars. The malware is generally used in campaigns driven by financial aims, these include fraud based campaigns and identity thefts. 

How to stay safe?

A Keylogger tracks every keystroke a user makes, allowing hackers to get your passwords, personal information, and financial data. However, you can follow some steps to stay safe. 

According to Bitdefender:

Always verify the origin and validity of correspondence before interacting with links or attachments, and deploy security solutions. Ensure that accounts are protected via two-factor (2FA) or multi-factor (MFA) authentication processes that will prevent cybercriminals from logging into accounts should your system get compromised, and install a security solution on their devices.





PDF Smuggles Microsoft Word Doc to Deliever Snake Keylogger Malware

 

Threat researchers have found a new malware distribution campaign that uses PDF attachments to transport infected Word documents into users' computers. Most phishing emails today include DOCX or XLS attachments loaded with malware-loading macro code, thus the use of PDFs is unusual. Threat actors are switching to different methods to install harmful macros and escape identification as users grow more aware of opening fraudulent Microsoft Office attachments. 

In a new report by HP Wolf Security, researchers show how PDFs are being exploited as a transport for documents containing malicious macros that download and install information-stealing malware on victims' devices. The PDF arriving through email in a campaign seen by HP Wolf Security is called "Remittance Invoice," and the guess is that the email body contains vague assurances of payment to the recipient. 

When the PDF is accessed, Adobe Reader prompts the user to open a DOCX file contained therein, which is unusual and may cause the victim to become confused. "The file 'has been verified," says the Open File prompt, because the threat actors named the embedded document "has been verified." This message may lead recipients to believe that Adobe has authenticated the file and that it is safe to open. While malware investigators can use parsers and scripts to investigate embedded files in PDFs, most average users wouldn't go that far or even know where to begin. 

As a result, many people will open the DOCX in Microsoft Word and, if macros are allowed, will download and open an RTF (rich text format) file from a remote location. The command is inserted in the Word file, coupled with the hardcoded URL "vtaurl[.]com/IHytw," which is where the payload is hosted, to download the RTF. 

Attacking old RCE

The RTF file is called "f_document_shp.doc" and contains faulty OLE objects that are likely to elude detection. HP's experts discovered that it attempts to exploit an outdated Microsoft Equation Editor vulnerability to execute arbitrary code. The shellcode used in the attack targets CVE-2017-11882, a remote code execution flaw in Equation Editor that was addressed in November 2017 but is still exploitable in the wild. 

When the flaw was revealed, hackers were quick to notice it, and the sluggish patching that followed led to it becoming one of the most abused vulnerabilities in 2018. The RTF shellcode downloads and runs Snake Keylogger, a modular info-stealer with powerful persistence, defence evasion, credential access, data harvesting, and data exfiltration capabilities, by exploiting CVE-2017-11882.

Snake Keylogger: Enters Top 10 List for the Most Prominent Malwares

 

Check Point Research reveals that for straight three months the Trickbot is by far the most common malware, whereas, for the very first time, the Snake Keylogger is the second most prevalent malware.
 
The Snake Keylogger, first spotted in November 2020  is a modular.NET keylogger and credential stealer. Snake Keylogger has advanced to the position of second-most frequent malware variant in the world and has become increasingly popular in recent weeks as per the Check Point’s Global Threat Index for July 2021. 

The main function of the malware is to capture keystrokes of users on computers or mobile devices and then to pass over the collected information to the rogue software's cyber thieves and hackers. 

Infections with Snake Keylogger are indeed a huge threat to the data privacy of any user and internet security because spyware can stole nearly everything. It is also usually considered to be an especially deceptive and persistent keylogger. After a spur of effective phishing attacks, Snake Keylogger has become extremely prevalent. The malware is currently purchasable at a variety of underground sites, with purchasers being able to buy the malware for only $25. 

Check Point researchers have shown that Snake Keylogger attacks are typically very efficient because of the human tendency to use the same password and username on many accounts. Thereby, after an infringement of a certain login credential, malicious hackers get access to all accounts using the same password. 

Maya Horowitz, VP of Check Point Research, recommended that users must employ a "unique option" for each of the many profiles to stop such cyberattacks. “When it comes to password policies, choosing a strong, unique password for each service is the best advice, then even if the bad guys do get hold of one of your passwords, it won’t immediately grant them access to multiple sites and services,” she further explained. 

“Where possible, users should reduce the reliance on passwords alone, for example by implementing Multi-Factor Authentication (MFA) or Single-Sign-On (SSO) technologies,” Horowitz added. Keeping vigilance whenever visiting the web or checking emails is highly encouraged by Horowitz. 

As 'Keyloggers' are frequently spread through phishing emails, users must be aware of subtle anomalies, such as errors in URLs and email addresses. They must avoid clicking on malicious links or downloading any unusual attachments. 

Check Point research also identified some of the world's leading malware families, as well as provided information on rising mobile malware activity. It affirms that Trickbot is indeed the world's most popular malware that has an impact of 4%, trailed by Snake Keylogger and XMRig, each with worldwide impacts of 3%. Trickbot is an ongoing modular Botnet and Banking Trojan with new functions, features, and vectors for propagation. Meanwhile, XMRig which was first seen in the wild in May 2017  is an open-source CPU mining program that is used for Monero cryptocurrency mining. 

Throughout the month of July, xHelper was recognized as one of the most widespread mobile viruses in the world, followed by AlienBot and Hiddad. Studies indicate that xHelper has been around since March 2019. Whereas, Hiddad is an Android trojan that repackages and delivers legitimate programs to a third-party store. The primary purpose of the malware is to show advertisements.