Under the Hood of SnakeKeylogger: Analyzing its Loader and its Tactics, Techniques, and Procedures | Splunk

Snake Keylogger is a Trojan Stealer that emerged as a significant threat in November 2020, showcasing a fusion of credential theft and keylogging functionalities. Developed using .NET, its arsenal includes keystroke logging, harvesting stored credentials, and capturing screenshots. Moreover, it exhibits an adeptness in gathering clipboard data, browser credentials, and conducting system and network reconnaissance. This comprehensive array of capabilities underscores its sophistication and the importance of robust cybersecurity measures to counter such malicious tools effectively.

This Trojan Stealer employs a multifaceted approach to data exfiltration, leveraging various Command and Control (C2) servers such as FTP, SMTP, and Telegram. By utilizing these diverse channels, it enhances its ability to discreetly transmit the collected data from the targeted host to the attacker’s infrastructure. The use of FTP facilitates the secure transfer of files, while SMTP enables the sending of emails containing sensitive information. Additionally, integration with Telegram offers a real-time communication platform, allowing for immediate transmission of stolen data.

By diversifying its C2 infrastructure, the Trojan Stealer maximizes its operational efficacy while evading traditional cybersecurity defenses, emphasizing the need for comprehensive and dynamic threat mitigation strategies.

In this blog, the Splunk Threat Research Team provides valuable insights to enable security analysts and blue teamers to defend and be aware of these scam tactics. Below, we’ll cover:

  • How the Snake Keylogger loader works
  • Tactics and techniques employed by Snake Keylogger
  • Security content you can use to help defend against this threat
  • Indicators of compromise identified by our team

Snake Keylogger Loader

In addition to employing phishing campaigns for propagation, Snake Keylogger demonstrates a notable sophistication by utilizing a variety of cryptors or loaders to obfuscate its code and evade detection by sandboxes. This dynamic strategy poses significant challenges for analysts attempting to dissect and analyze its inner workings. 

In this blog we will focus on a particular loader employed by Snake Keylogger, which cleverly utilizes the .RSRC data entry to conceal the AES-encrypted payload of the malware. 

Initially, the loader undertakes the parsing of specific resource properties objects, a process contingent upon the name of its .RSRC data entry. Following this, it proceeds to compute the SHA256 hash of a predetermined key string. This hash serves as the AES-ECB decryption key, essential for decrypting the encrypted .RSRC entry.

Figure 01: Encrypted RSRC DATA ENTRY

Using CyberChef, we can simulate the decryption process to decrypt the encrypted “Example” .RSRC data entry.

Figure 02: Decryption via CyberChef

The decrypted data reveals yet another layer of complexity: an additional loader executable contains two AES-ECB encrypted .RSRC data entries, each with distinct decryption key strings. Upon successfully decrypting these entries, our analysis unveils their contents: a RUNPE injector module and the authentic Snake Keylogger malware. 

Figure 03 (below) shows a short diagram how this loader decrypts and executes the actual SnakeKeylogger malware to steal sensitive data and information from the compromised host.

Figure 03: Snake Keylogger Loader Flow
(For a larger resolution of this diagram visit this link)

Snake Keylogger Techniques and Tactics

Figure 4 illustrates a screenshot of the “Snake Keylogger” main function, showcasing its utilization of obfuscation techniques to obscure method and class names. This deliberate obfuscation serves to impede static analysis, complicating efforts to discern the malware’s functionality and inner workings. 

Figure 04: Decryption via CyberChef

In the next subsections, we will discuss several tactics and techniques of this Trojan Stealer.

Discovery

System Information – T1082

Snake Keylogger gathers system information from compromised hosts, including details such as the operating system version, RAM size, and hard disk drive information. This dataset undergoes formatting before being transmitted to its C2 server as part of the exfiltrated data.

System Location Discovery – T1614

In addition to its systematic collection of system information, Snake Keylogger extends its reach to gather vital network data. This includes retrieving the IP address of the compromised host by querying a public web service (https[://]checkip[dyndns[.]org) to resolve the machine’s public IP address.

Snake Keylogger further extends its reconnaissance capabilities by querying https[://]reallygeoip[.]org to pinpoint the geographical location of the querying host machine. This query enables the malware to extract crucial details such as the city, country code, country name, geographic latitude and longitude coordinates, region name, and timezone information. By harnessing this comprehensive geo-location data, Snake Keylogger enhances its situational awareness, enabling more targeted and geographically-specific malicious attacks. 

Figure 05: GeoIP Location

Persistence

Registry Run Keys – T1547.001

Like many other forms of malware, it employs registry run keys to establish persistence on the compromised host, ensuring its survival through system reboots.

Figure 06: Registry Run Key

Defense Evasion 

Impair Defenses – T1562

In our analysis, we observed that Snake Keylogger integrates a “Kill Switch” mechanism. This feature operates by cross-referencing the build date of its code with the current date. If the build date precedes the current date, the malware promptly terminates its process. This tactic serves as an anti-sandbox technique, aiming to thwart detection by security environments. Given that Snake Keylogger frequently employs Crypter or loaders to execute its core code, bypassing this date-based check necessitates reverse engineering or unpacking of the actual Snake Keylogger, adding an additional layer of complexity for security analysts.

Figure 07: Kill Switch

Snake Keylogger utilizes choice.exe, a native Windows executable tool, to prompt user choices. It leverages the “/T” parameter of this tool to set a timeout delay before executing its cleanup routine. This process involves deleting the file path associated with the process and terminating the process itself, serving as a methodical cleanup technique.

Figure 08: Time Delay

This Trojan Stealer employs tactics to circumvent detection by various antivirus and security products. It achieves this by terminating processes associated with these security applications. Figure 09 shows a screenshot illustrating the list of process strings it scrutinizes within the process list, terminating them if detected. This proactive measure aims to neutralize and allow the malware to operate undetected and unhindered within the compromised system.

Figure 09: Kill AV

Another evasion technique we’ve uncovered involves Snake Keylogger maintaining a list of IP addresses it deems as belonging to sandbox or bot environments. When it detects activity from these addresses, it refrains from executing its malicious payload. However, if the environment is deemed clean, the malware proceeds to transmit collected data such as system information, network details, and browser credentials to its C2 server. This strategic approach underscores the malware’s adaptability and its effort to evade detection by distinguishing between benign and potentially threatening environments.

Figure 10: Bot Check

Credential Access 

Credentials from Web Browsers – T1555.003

Like many Trojan Stealers, Snake Keylogger boasts an extensive list of targeted browsers, aiming to steal credentials and sensitive data, including credit card information. Additionally, it sets its sights on mail and file clients.

Figure 10.1 (below) is the screenshot of its functions that tries to parse several browsers and Instant Messaging applications to steal sensitive information.

Figure 10.1: Browser and IM List

Email Collection – T1114 

Snake Keylogger extends its reach to harvest Outlook profile information by querying into the system registry. This aims to extract potentially valuable data such as usernames and passwords associated with Outlook accounts. These credentials could serve as gateways for further malicious activities and persistence within the compromised host.

Figure 11: Outlook Profile Registry

Collection 

Clipboard Data – T1115

Snake Keylogger captures data stored in the clipboard, which may include sensitive information such as copied passwords, credit card numbers, or other text. By harvesting this data, this Trojan Stealer gains access to potentially valuable information that users have copied for various purposes, increasing its effectiveness in stealing confidential data.

Figure 12: Clipboard data

Screen Capture – T1113

Snake Keylogger also takes screenshots of the user’s screen periodically that will be saved as “Screenshot.jpg” in the user “MyDocument” folder. This enables the malware to capture visual information, including sensitive documents, login credentials, or other confidential content displayed on the screen. 

Figure 13: Screenshot Capture

Keylogging – T1056.001

Of course Snake Keylogger’s keylogging functionality is paramount. It covertly records every keystroke made by the user, allowing it to harvest sensitive data such as passwords, usernames, and other confidential information.

Figure 14: Keylogging

Command and Control 

As an initial step in its execution, Snake Keylogger attempts to establish communication with one of its Command and Control (C2) servers and awaits a response to verify its activity. This is accomplished by inspecting the response from the C2 server if it contains spring “#$0#”.

Figure 15: Download from C2

Like Agent Tesla malware, this Trojan Stealer boasts three distinct C2 servers for data exfiltration: FTP, SMTP, and Telegram. Depending on the enabled C2 server specified in its configuration, Snake Keylogger determines where to send the data. The configuration settings reveal the enabled C2 server using specific strings:

  • %FTPDV$          : Indicates FTP C2 server activation.
  • $%TelegramDv$: Signals Telegram C2 server activation.
  • $%SMTPDV$     : Denotes SMTP C2 server activation.

Figure 16: Three C2 Servers

Splunk Security Content

Playbooks

Non-hunting detections associated with this analytic story create entries by default in Splunk Enterprise Security’s risk index, which can be used seamlessly with risk notables and playbooks in the Risk Notable Playbook Pack and the Automated Enrichment Playbook Pack for Splunk SOAR. 

Playbook Description
Automated Enrichment Moves the event status to open and then launches the Dispatch playbooks for Reputation Analysis, Attribute Lookup, and Related Tickets.
Identifier Reputation Analysis Dispatch Detects available indicators and routes them to indicator reputation analysis playbooks. The output of the analysis will update any artifacts, tasks, and indicator tags.
Attribute Lookup Dispatch Detects available entities and routes them to attribute lookup playbooks. The output of the playbooks will create new artifacts for any technologies that return information.
Related Tickets Search Dispatch Detects available indicators and routes them to dispatch related ticket search playbooks. The output of the analysis will update any artifacts, tasks, and indicator tags.

Detections

The Splunk Threat Research Team has created relevant detections and tagged them to the SnakeKeylogger Analytic Story to help security analysts detect adversaries leveraging the Phemedrone malware. 

For these analytic stories, we used and considered relevant data endpoint telemetry sources such as:

  • Process Execution & Command Line Logging
  • Windows Security SACL Event ID, Sysmon, or any Common Information Model-compliant EDR technology
  • Windows Security Event Log
  • Windows System Event Log
  • Windows PowerShell Script Block Logging

Overall, the SnakeKeylogger Analytic Story introduces 21 detections across MITRE ATT&CK techniques.

For example, the Windows Unsecured Outlook Credentials Access In Registry is an analytic that identifies a suspicious query on Outlook credentials registry in Windows OS registry.

This typically refers to user profiles associated with Microsoft Outlook. Within this key, Outlook stores configuration settings, including account information such as email addresses, server details, and authentication credentials.

`wineventlog_security` EventCode=4663 object_file_path IN 
("*ProfilesOutlook9375CFF0413111d3B88A00104B2A6676*", "*Windows Messaging 
SubsystemProfiles9375CFF0413111d3B88A00104B2A6676*")   
AND process_name != *outlook.exe   
| stats count min(_time) as firstTime max(_time) as lastTime by object_file_name 
object_file_path process_name process_path  process_id EventCode dest   
| `security_content_ctime(firstTime)`   
| `security_content_ctime(lastTime)`

Figure 17: Windows Unsecured Outlook Credentials Access In Registry

The Windows Time Based Evasion via Choice Exec analytic is designed to detect potentially suspicious batch files that leverage choice.exe as a delay tactic. This technique, observed in the SnakeKeylogger malware, is utilized for time delays or ‘Sleep’ commands in its code execution or before the deletion of its copies on compromised hosts.

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) 
as lastTime from datamodel=Endpoint.Processes   
where Processes.process_name =choice.exe  Processes.process = "*/T*"  Processes.process = "*/N*"  
by Processes.parent_process_name Processes.process_name Processes.process 
Processes.process_id Processes.parent_process_id Processes.process_guid 
Processes.dest Processes.user   
| `drop_dm_object_name(Processes)`   
| `security_content_ctime(firstTime)`   
| `security_content_ctime(lastTime)`

Figure 18: Windows Time-Based Evasion via Choice Exec

The Windows Gather Victim Network Info Through Ip Check Web Services analytic identifies a process that attempts to connect to a known IP web service. This technique is commonly used by TrickBot and other malware to perform reconnaissance against the infected machine and look for its IP address.

`sysmon` EventCode=22  QueryName IN ("*wtfismyip.com", "*checkip.*", "*ipecho.net", 
"*ipinfo.io",
   "*api.ipify.org", "*icanhazip.com", "*ip.anysrc.com","*api.ip.sb", "ident.me", 
"www.myexternalip.com", 
  "*zen.spamhaus.org", "*cbl.abuseat.org", "*b.barracudacentral.org", 
"*dnsbl-1.uceprotect.net",
   "*spam.dnsbl.sorbs.net", "*iplogger.org*", "*ip-api.com*", "*geoip.*")
   |  stats  min(_time) as firstTime max(_time) as lastTime count by  Image ProcessId 
QueryName QueryStatus QueryResults EventCode Computer
   | rename Computer as dest
   | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)

Figure 19: Windows Gather Victim Network Info Through Ip Check Web Services

Indicators of Compromise (IOCs)

Hashes Description
0dd188237a562417f239ff9be662f9336ec77a0906af62c26516a8e6f767f9f5 SnakeKeylogger
80e12c2425ec7b8aa8913df82bd47c0c1a62f6539df22b6bf1ddab8b1694e3e8 SnakeKeylogger

Why Should You Care?

By understanding SnakeKeylogger Trojan Stealer behaviors, the Splunk Threat Research Team was able to generate telemetry and datasets to develop and test Splunk detections to help defend against and respond to this threat. Security analysts, blue teamers and Splunk customers can use the insights and detections described in this blog to discover SnakeKeylogger tactics, techniques and procedures potentially being used by threat actors and adversaries in their environments. 

Early detection of SnakeKeylogger activities enables prompt containment and remediation, mitigating potential damage and preventing further propagation. Collaborative sharing of threat intelligence across security communities is crucial to enhance collective defense strategies. Continuous monitoring, alongside updated defense mechanisms, is essential to keep pace with SnakeKeylogger’s evolving tactics and ensure robust protection against its threats.

Learn More

You can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security Essentials also has all these detections now available via push update. 

For a full list of security content, check out the release notes on Splunk Docs.

Feedback

Any feedback or requests? Feel free to put in an issue on Github and we’ll follow up. Alternatively, join us on the Slack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on Slack.

Contributors

We would like to thank Teoderick Contreras for authoring this post and the entire Splunk Threat Research Team for their contributions: Michael Haag, Mauricio Velazco, Lou Stella, Bhavin Patel, Rod Soto, Eric McGinnis, Jose Hernandez, Patrick Bareiss and Gowthamaraj Rajendran.

Source: https://www.splunk.com/en_us/blog/security/under-the-hood-of-snakekeylogger-analyzing-its-loader-and-its-tactics-techniques-and-procedures.html