A new variant of the Snake Keylogger malware is being used to actively target Windows users located in China, Turkey, Indonesia, Taiwan, and Spain.
Fortinet FortiGuard Labs said the new version of the malware has been behind over 280 million blocked infection attempts worldwide since the start of the year.
“Typically delivered through phishing emails containing malicious attachments or links, Snake Keylogger is designed to steal sensitive information from popular web browsers like Chrome, Edge, and Firefox by logging keystrokes, capturing credentials, and monitoring the clipboard,” security researcher Kevin Su said.
Its other features allow it to exfiltrate the stolen information to an attacker-controlled server using the Simple Mail Transfer Protocol (SMTP) and Telegram bots, allowing the threat actors to access stolen credentials and other sensitive data.”
What’s notable about the latest set of attacks is that it makes use of the AutoIt scripting language to deliver and execute the main payload. In other words, the executable containing the malware is an AutoIt-compiled binary, thereby allowing it to bypass traditional detection mechanisms.
“The use of AutoIt not only complicates static analysis by embedding the payload within the compiled script but also enables dynamic behavior that mimics benign automation tools,” Su added.
Once launched, Snake Keylogger is designed to drop a copy of itself to a file named “ageless.exe” in the folder “%Local_AppData%supergroup.” It also proceeds to drop another file called “ageless.vbs” in the Windows Startup folder such that the Visual Basic Script (VBS) automatically launches the malware every time the system is rebooted.
Through this persistence mechanism, Snake Keylogger is capable of maintaining access to the compromised system and resuming its malicious activities even if the associated process gets terminated.
The attack chain culminates with the injection of the main payload into a legitimate .NET process such as “regsvcs.exe” using a technique called process hollowing, permitting the malware to conceal its presence within a trusted process and sidestep detection.
Snake Keylogger has also been found to log keystrokes and use websites like checkip.dyndns[.]org to retrieve the victim’s IP address and geolocation.
“To capture keystrokes, it leverages the SetWindowsHookEx API with the first parameter set to WH_KEYBOARD_LL (flag 13), a low-level keyboard hook that monitors keystrokes,” Su said. “This technique allows the malware to log sensitive input such as banking credentials.”
The development comes as CloudSEK detailed a campaign that’s exploiting compromised infrastructure associated with educational institutions to distribute malicious LNK files disguised as PDF documents to ultimately deploy the Lumma Stealer malware.
The activity, targeting industries like finance, healthcare, technology, and media, is a multi-stage attack sequence that results in the theft of passwords, browser data, and cryptocurrency wallets.
“The campaign’s primary infection vector involves using malicious LNK (shortcut) files that are crafted to appear as legitimate PDF documents,” security researcher Mayank Sahariya said, adding the files are hosted on a WebDAV server that unsuspecting visitors are redirected to after visiting sites.
The LNK file, for its part, executes a PowerShell command to connect to a remote server and retrieve the next-stage malware, an obfuscated JavaScript code that harbors another PowerShell that downloads Lumma Stealer from the same server and executes it.
In recent weeks, stealer malware has also been observed distributed via obfuscated JavaScript files to harvest a wide range of sensitive data from compromised Windows systems and exfiltrate it to a Telegram bot operated by the attacker.
“The attack begins with an obfuscated JavaScript file, which fetches encoded strings from an open-source service to execute a PowerShell script,” Cyfirma said.
“This script then downloads a JPG image and a text file from an IP address and a URL shortener, both of which contain malicious MZ DOS executables embedded using steganographic techniques. Once executed, these payloads deploy stealer malware.”
