Saturday, September 7, 2024
Homecyber security.NET-based Snake Keylogger Attack Windows Using Weaponized Excel Documents

.NET-based Snake Keylogger Attack Windows Using Weaponized Excel Documents

Published on

Researchers uncovered a sophisticated phishing campaign that exploits a .NET-based Snake Keylogger variant.

This attack leverages weaponized Excel documents to infiltrate Windows systems, posing significant threats to user data security.

This article delves into the mechanics of the attack, the techniques employed by the malware, and the implications for users and organizations.

- Advertisement - EHA

Understanding Snake Keylogger

Snake Keylogger, also known as “404 Keylogger” or “KrakenKeylogger,” is notorious malware that was initially distributed on hacker forums as a subscription-based service.

This .NET-based software is designed to steal sensitive data, including saved credentials from web browsers, clipboard content, and basic device information.

It can also log keystrokes and capture screenshots, making it a potent tool for cybercriminals.

What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!

The Phishing Email

Fortinet’s FortiGuard Labs reported that the attack begins with a phishing email that attempts to deceive recipients into opening an attached Excel file named “swift copy.xls.”

The email claims that funds have been transferred into the recipient’s account, a common tactic to lure victims into action.

FortiGuard services mark these emails with a “[virus detected]” warning in the subject line, but unsuspecting users may still fall for the trap.

The phishing email attempts to deceive the recipient into opening the attached Excel file
The phishing email attempts to deceive the recipient into opening the attached Excel file

The Malicious Excel Document

Upon opening the Excel file, malicious code is executed in the background. The document contains a specially crafted embedded link object that exploits the CVE-2017-0199 vulnerability to download additional malicious files.

This process is covert, with the Excel program secretly requesting a URL that leads to further malware downloads.

Malicious Excel Document
Malicious Excel Document

The attack chain continues by downloading an HTML Application (HTA) file, executed by the Windows application host (mshta.exe).

This file contains obfuscated JavaScript code that, once decoded, reveals VBScript and PowerShell scripts.

These scripts are responsible for downloading and executing the Snake Keylogger’s loader module, a critical attack component.

The Loader Module

The downloaded executable file, the Loader module, is developed using the Microsoft .NET Framework.

It employs multiple-layer protection techniques, including transformation and encryption, to evade detection by cybersecurity products.

The Loader module extracts and decrypts several components from its resource section, essential for deploying the core Snake Keylogger module.

Loader Module Analysis
Loader Module Analysis

Deploy Module and Persistence

The Deploy module, extracted from the Loader, ensures Snake Keylogger’s persistence on the victim’s system.

It renames the Loader module file, sets it as hidden and read-only, and creates a scheduled task in the system Task Scheduler to launch at startup.

This module also performs process hollowing, a technique that allows the malware to hide its operations by injecting malicious code into a new process.

Scheduled Task for Snake Keylogger
Scheduled Task for Snake Keylogger

The Snake Keylogger attack highlights the evolving tactics of cybercriminals and the importance of robust cybersecurity measures.

Users and organizations must remain vigilant, employing updated antivirus software and exercising caution with email attachments.

Awareness and education are crucial in preventing sophisticated attacks from compromising sensitive data.

Snake Keylogger Summary
Snake Keylogger Summary

The .NET-based Snake Keylogger attack via weaponized Excel documents represents a significant threat to Windows users.

By understanding the attack’s mechanics and employing proactive security measures, individuals and organizations can better protect themselves against this and similar cyber threats.

IOCs

URLs

hxxp://urlty[.]co/byPCO
hxxp[:]//192.3.176[.]138/xampp/zoom/107.hta
hxxp[:]//192.3.176[.]138/107/sahost.exe

Relevant Sample SHA-256

[swift copy.xls]
8406A1D7A33B3549DD44F551E5A68392F85B5EF9CF8F9F3DB68BD7E02D1EABA7

[107.hta]
6F6A660CE89F6EA5BBE532921DDC4AA17BCD3F2524AA2461D4BE265C9E7328B9

[The Loader module/sahost.exe / WeENKtk.exe / utGw.exe]
484E5A871AD69D6B214A31A3B7F8CFCED71BA7A07E62205A90515F350CC0F723

[Snake Keylogger core module / lfwhUWZlmFnGhDYPudAJ.exe]
207DD751868995754F8C1223C08F28633B47629F78FAAF70A3B931459EE60714

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Tropic Trooper Attacks Government Organizations to Steal Sensitive Data

Tropic Trooper (aka KeyBoy, Pirate Panda, and APT23) is a sophisticated cyberespionage APT group,...

NoiseAttack is a Novel Backdoor That Uses Power Spectral Density For Evasion

NoiseAttack is a new method of secretly attacking deep learning models. It uses triggers...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Tropic Trooper Attacks Government Organizations to Steal Sensitive Data

Tropic Trooper (aka KeyBoy, Pirate Panda, and APT23) is a sophisticated cyberespionage APT group,...