{"id":5881,"date":"2021-01-20T08:09:03","date_gmt":"2021-01-20T16:09:03","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=5881"},"modified":"2024-04-26T13:20:58","modified_gmt":"2024-04-26T20:20:58","slug":"snake-keylogger-slithers-through-malspam","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/snake-keylogger-slithers-through-malspam\/","title":{"rendered":"Snake Keylogger Slithers Through Malspam"},"content":{"rendered":"

Author: Eric Patterson<\/strong>
\nTLP: WHITE<\/strong>
\n <\/p>\n

Overview<\/h3>\n

During the week of 14 January, we observed a malspam campaign distributing the Snake Keylogger. The emails in the campaign contain a malicious 7-ZIP archive that opens an SCR file and downloads the malware to the victim host.1,2<\/sup><\/p>\n

Customer Impact<\/h3>\n

Snake Keylogger (a.k.a. 404 Keylogger)3<\/sup> is an infostealer that can steal a victim\u2019s sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard.4<\/sup> Those infected with Snake can potentially face anything from identity theft to fraudulent financial transactions depending on the type of information siphoned by the keylogger.<\/p>\n

Campaign Analysis<\/h3>\n

As in previous 404 Keylogger campaigns we have observed,5<\/sup> this malspam campaign was financially themed and contained subject lures such as STATEMENT OF ACCOUNT NOVEMBER DECEMBER 2020. <\/em>The mails also carried a compressed ZIP archive attachment with an R03 file extension. The observed sender was Qtech Admin<\/em> and used the email address ungkwangmedtech[@]gmail[.]com.<\/em><\/p>\n

Attack Chain<\/h3>\n

When the victim extracts and executes the 7-ZIP archive, an executable (EXE) file of the same name will drop onto the user\u2019s Desktop (C:\\Users\\\\Desktop\\PO-75013.exe<\/em>).6 Once Snake establishes persistence, it will create a DirectInput object allowing it to capture keystrokes, take screenshots and access information on the clipboard. <\/p>\n

The malware then attempts to discover and steal mail credentials by accessing any saved profiles present on the machine (e.g., Outlook), as well as steal sensitive browser information from the local cookie and login data files found under the AppData<\/em> directory (i.e. for Google Chrome). <\/p>\n

If it is successful in gathering information, Snake will use a known-good IP lookup service (checkip.dyndns.org) to get the victim IP address. It will also query the system to gather other information such as the Windows version.<\/p>\n

While we did not observe exfiltration for this campaign, Snake is able to transmit information via email, FTP, SMTP, Pastebin or the messaging app Telegram.<\/p>\n

Vulnerabilities & Mitigation<\/h3>\n

Infoblox recommends the following to reduce the risk of this type of infection:<\/p>\n