Tuesday, November 12, 2024
Homecyber security.NET-based Snake Keylogger Attack Windows Using Weaponized Excel Documents

.NET-based Snake Keylogger Attack Windows Using Weaponized Excel Documents

Published on

Malware protection

Researchers uncovered a sophisticated phishing campaign that exploits a .NET-based Snake Keylogger variant.

This attack leverages weaponized Excel documents to infiltrate Windows systems, posing significant threats to user data security.

This article delves into the mechanics of the attack, the techniques employed by the malware, and the implications for users and organizations.

- Advertisement - SIEM as a Service

Understanding Snake Keylogger

Snake Keylogger, also known as “404 Keylogger” or “KrakenKeylogger,” is notorious malware that was initially distributed on hacker forums as a subscription-based service.

This .NET-based software is designed to steal sensitive data, including saved credentials from web browsers, clipboard content, and basic device information.

It can also log keystrokes and capture screenshots, making it a potent tool for cybercriminals.

What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!

The Phishing Email

Fortinet’s FortiGuard Labs reported that the attack begins with a phishing email that attempts to deceive recipients into opening an attached Excel file named “swift copy.xls.”

The email claims that funds have been transferred into the recipient’s account, a common tactic to lure victims into action.

FortiGuard services mark these emails with a “[virus detected]” warning in the subject line, but unsuspecting users may still fall for the trap.

The phishing email attempts to deceive the recipient into opening the attached Excel file
The phishing email attempts to deceive the recipient into opening the attached Excel file

The Malicious Excel Document

Upon opening the Excel file, malicious code is executed in the background. The document contains a specially crafted embedded link object that exploits the CVE-2017-0199 vulnerability to download additional malicious files.

This process is covert, with the Excel program secretly requesting a URL that leads to further malware downloads.

Malicious Excel Document
Malicious Excel Document

The attack chain continues by downloading an HTML Application (HTA) file, executed by the Windows application host (mshta.exe).

This file contains obfuscated JavaScript code that, once decoded, reveals VBScript and PowerShell scripts.

These scripts are responsible for downloading and executing the Snake Keylogger’s loader module, a critical attack component.

The Loader Module

The downloaded executable file, the Loader module, is developed using the Microsoft .NET Framework.

It employs multiple-layer protection techniques, including transformation and encryption, to evade detection by cybersecurity products.

The Loader module extracts and decrypts several components from its resource section, essential for deploying the core Snake Keylogger module.

Loader Module Analysis
Loader Module Analysis

Deploy Module and Persistence

The Deploy module, extracted from the Loader, ensures Snake Keylogger’s persistence on the victim’s system.

It renames the Loader module file, sets it as hidden and read-only, and creates a scheduled task in the system Task Scheduler to launch at startup.

This module also performs process hollowing, a technique that allows the malware to hide its operations by injecting malicious code into a new process.

Scheduled Task for Snake Keylogger
Scheduled Task for Snake Keylogger

The Snake Keylogger attack highlights the evolving tactics of cybercriminals and the importance of robust cybersecurity measures.

Users and organizations must remain vigilant, employing updated antivirus software and exercising caution with email attachments.

Awareness and education are crucial in preventing sophisticated attacks from compromising sensitive data.

Snake Keylogger Summary
Snake Keylogger Summary

The .NET-based Snake Keylogger attack via weaponized Excel documents represents a significant threat to Windows users.

By understanding the attack’s mechanics and employing proactive security measures, individuals and organizations can better protect themselves against this and similar cyber threats.

IOCs

URLs

hxxp://urlty[.]co/byPCO
hxxp[:]//192.3.176[.]138/xampp/zoom/107.hta
hxxp[:]//192.3.176[.]138/107/sahost.exe

Relevant Sample SHA-256

[swift copy.xls]
8406A1D7A33B3549DD44F551E5A68392F85B5EF9CF8F9F3DB68BD7E02D1EABA7

[107.hta]
6F6A660CE89F6EA5BBE532921DDC4AA17BCD3F2524AA2461D4BE265C9E7328B9

[The Loader module/sahost.exe / WeENKtk.exe / utGw.exe]
484E5A871AD69D6B214A31A3B7F8CFCED71BA7A07E62205A90515F350CC0F723

[Snake Keylogger core module / lfwhUWZlmFnGhDYPudAJ.exe]
207DD751868995754F8C1223C08F28633B47629F78FAAF70A3B931459EE60714

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting...