Ethical Hacking News
A recent report has uncovered a new variant of Snake Keylogger, which inflicts Windows systems with an AutoIt-compiled payload. The malware logs keystrokes, captures screenshots, and collects clipboard data to steal sensitive information, making it essential for users to stay vigilant and protect their systems from this new threat.
The new variant of Snake Keylogger targets Windows users in Asia and Europe, utilizing AutoIt scripting language to deploy itself. The malware logs keystrokes, captures screenshots, and collects clipboard data to steal sensitive information. The malware uses SMTP email, Telegram bots, and HTTP POST requests to communicate with its command-and-control server. AutoIt-compiled binaries add complexity in analyzing the malware, making it harder to detect and remove.
A recent report from Fortinet's malware hunters has uncovered a new variant of the notorious Snake Keylogger, which has been making rounds primarily targeting Windows users across Asia and Europe. This strain of malware utilizes the BASIC-like scripting language AutoIt to deploy itself, adding an extra layer of obfuscation to help it evade detection.
The Snake Keylogger is a Microsoft .NET-based data stealer that logs keystrokes, captures screenshots of the desktop, and collects clipboard data to steal credentials, credit card details, and other sensitive information. The keystrokes can include usernames and passwords typed into browsers such as Chrome, Edge, and Firefox.
Once installed on a victim's PC, typically as an attachment to a spam email, the malware funnels the stolen information to its command-and-control server using SMTP email, Telegram bots, and HTTP POST requests. This allows the attackers to maintain communication with the infected computer and retrieve sensitive data without being detected.
The new variant of Snake Keylogger is notable for its use of AutoIt-compiled binaries, designed to unpack and run the keylogger when opened. According to FortiGuard Labs malware analyst Kevin Su, "The use of AutoIt not only complicates static analysis by embedding the payload within the compiled script but also enables dynamic behavior that mimics benign automation tools."
AutoIt is a popular freeware scripting language among cybercriminals due to its ability to generate standalone executables, some of which can evade traditional antivirus solutions. The technique used in this variant, known as process hollowing, involves spawning the legitimate .NET process in a suspended state and replacing it with malicious instructions.
The malware uses the SetWindowsHookEx API with the first parameter set to WH_KEYBOARD_LL, a low-level keyboard hook, to monitor and capture keystrokes, which also allows it to collect banking credentials and other sensitive information. This is achieved by injecting its payload into a legitimate .NET process, specifically targeting RegSvcs.exe.
Once executed, the keylogger copies itself to the %Local_AppData%\supergroup folder, names itself ageless[.]exe, and sets its attributes to hidden. It also drops another file, ageless[.]vbs, into the Startup folder, which contains a command to run Snake Keylogger automatically when the system reboots.
This method is commonly used by malware authors because the Windows Startup folder allows scripts or executables to run without required administrative privileges. By leveraging this technique, Snake Keylogger can maintain access to the compromised system and re-establish a foothold even if the malicious process is terminated.
The use of AutoIt-compiled binaries adds an extra layer of complexity in analyzing the malware, making it more challenging for security researchers to detect and remove the threat.
The discovery of this new variant highlights the importance of staying up-to-date with the latest security patches and being cautious when opening emails or downloading attachments from unknown sources. It also underscores the need for robust cybersecurity measures to protect against sophisticated threats like Snake Keylogger.
Related Information:
https://go.theregister.com/feed/www.theregister.com/2025/02/18/new_snake_keylogger_infects_windows/
https://www.theregister.com/2025/02/18/new_snake_keylogger_infects_windows/
https://cyberinsider.com/new-snake-keylogger-variant-launches-280-million-attacks/
Published: Tue Feb 18 16:16:22 2025 by llama3.2 3B Q4_K_M
