.NET-based Snake Keylogger Attack Windows Using Weaponized Excel Documents

Researchers uncovered a sophisticated phishing campaign that exploits a .NET-based Snake Keylogger variant.

This attack leverages weaponized Excel documents to infiltrate Windows systems, posing significant threats to user data security.

This article delves into the mechanics of the attack, the techniques employed by the malware, and the implications for users and organizations.

Understanding Snake Keylogger

Snake Keylogger, also known as “404 Keylogger” or “KrakenKeylogger,” is notorious malware that was initially distributed on hacker forums as a subscription-based service.

This .NET-based software is designed to steal sensitive data, including saved credentials from web browsers, clipboard content, and basic device information.

It can also log keystrokes and capture screenshots, making it a potent tool for cybercriminals.

What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!

The Phishing Email

Fortinet’s FortiGuard Labs reported that the attack begins with a phishing email that attempts to deceive recipients into opening an attached Excel file named “swift copy.xls.”

The email claims that funds have been transferred into the recipient’s account, a common tactic to lure victims into action.

FortiGuard services mark these emails with a “[virus detected]” warning in the subject line, but unsuspecting users may still fall for the trap.

The phishing email attempts to deceive the recipient into opening the attached Excel file

The Malicious Excel Document

Upon opening the Excel file, malicious code is executed in the background. The document contains a specially crafted embedded link object that exploits the CVE-2017-0199 vulnerability to download additional malicious files.

This process is covert, with the Excel program secretly requesting a URL that leads to further malware downloads.

Malicious Excel Document

The attack chain continues by downloading an HTML Application (HTA) file, executed by the Windows application host (mshta.exe).

This file contains obfuscated JavaScript code that, once decoded, reveals VBScript and PowerShell scripts.

These scripts are responsible for downloading and executing the Snake Keylogger’s loader module, a critical attack component.

The Loader Module

The downloaded executable file, the Loader module, is developed using the Microsoft .NET Framework.

It employs multiple-layer protection techniques, including transformation and encryption, to evade detection by cybersecurity products.

The Loader module extracts and decrypts several components from its resource section, essential for deploying the core Snake Keylogger module.

Loader Module Analysis

Deploy Module and Persistence

The Deploy module, extracted from the Loader, ensures Snake Keylogger’s persistence on the victim’s system.

It renames the Loader module file, sets it as hidden and read-only, and creates a scheduled task in the system Task Scheduler to launch at startup.

This module also performs process hollowing, a technique that allows the malware to hide its operations by injecting malicious code into a new process.

Scheduled Task for Snake Keylogger

The Snake Keylogger attack highlights the evolving tactics of cybercriminals and the importance of robust cybersecurity measures.

Users and organizations must remain vigilant, employing updated antivirus software and exercising caution with email attachments.

Awareness and education are crucial in preventing sophisticated attacks from compromising sensitive data.

Snake Keylogger Summary

The .NET-based Snake Keylogger attack via weaponized Excel documents represents a significant threat to Windows users.

By understanding the attack’s mechanics and employing proactive security measures, individuals and organizations can better protect themselves against this and similar cyber threats.

IOCs

URLs

hxxp://urlty[.]co/byPCO
hxxp[:]//192.3.176[.]138/xampp/zoom/107.hta
hxxp[:]//192.3.176[.]138/107/sahost.exe

Relevant Sample SHA-256

[swift copy.xls]
8406A1D7A33B3549DD44F551E5A68392F85B5EF9CF8F9F3DB68BD7E02D1EABA7

[107.hta]
6F6A660CE89F6EA5BBE532921DDC4AA17BCD3F2524AA2461D4BE265C9E7328B9

[The Loader module/sahost.exe / WeENKtk.exe / utGw.exe]
484E5A871AD69D6B214A31A3B7F8CFCED71BA7A07E62205A90515F350CC0F723

[Snake Keylogger core module / lfwhUWZlmFnGhDYPudAJ.exe]
207DD751868995754F8C1223C08F28633B47629F78FAAF70A3B931459EE60714

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

PAN-OS Command Injection Flaw Lets Hackers Execute Arbitrary Code Remotely

Palo Alto Networks has disclosed a medium-severity vulnerability (CVE-2025-0127) in its PAN-OS software, enabling authenticated…

19 seconds ago

Researchers Uncover Hacking Tools and Techniques Shared on Russian-Speaking Cybercrime Forums

Trend Micro, a cybersecurity firm, has released its 50th installment report on the Russian-speaking cybercriminal…

10 hours ago

SideCopy APT Hackers Impersonate Government Officials to Deploy Open-Source XenoRAT Tool

The Pakistan-linked Advanced Persistent Threat (APT) group known as SideCopy has significantly expanded its targeting…

11 hours ago

Russian APT Hackers Use Device Code Phishing Technique to Bypass MFA

Russian state-backed advanced persistent threat (APT) group Storm-2372 has exploited device code phishing to bypass…

11 hours ago

Threat Actors Exploit Messaging Services as Lucrative Cybercrime Platforms

Threat actors are exploiting weaknesses in SMS verification systems to generate massive, fraudulent message traffic,…

12 hours ago

Scattered Spider Launches Sophisticated Attacks to Steal Login Credentials and MFA Tokens

The cyber threat landscape has witnessed remarkable adaptation from the notorious hacker collective known as…

12 hours ago