AutoIt Archives

Tech Optimizer

February 28, 2025

Evolving Snake Keylogger Variant Targets Windows Users

Cybersecurity researchers at Fortinet have identified a new variant of the Snake Keylogger malware, which has blocked over 280 million infection attempts globally. This malware captures sensitive user information, including credentials and browser data, and has the highest infection rates in China, Turkey, Indonesia, Taiwan, and Spain. The Snake Keylogger operates in three phases: distribution through phishing emails, data collection by capturing keystrokes and extracting credentials from browsers, and data transmission to command-and-control servers via encrypted channels. It employs advanced evasion techniques, such as process hollowing and persistence mechanisms, to operate stealthily. The malware uses obfuscation tools like AutoIt scripting to evade antivirus defenses and specifically targets browser-stored credentials. Security experts recommend caution with emails, using updated antivirus software, and regular patching of systems to mitigate risks.

Winsage

February 19, 2025

This high-risk keylogger malware is a growing threat to Windows users

Recent reports indicate a surge in the activity of the Snake keylogger, also known as the 404 Keylogger, linked to over 280 million attack attempts since the start of the year. At its peak, it was responsible for as many as 14 million infection attempts in a single day. The malware can log keystrokes and extract personally identifiable information, including geolocation data, transmitting this data back to its command server through channels like SMTP, Telegram bots, and HTTP post requests. The Snake keylogger operates on the AutoIT framework, creating a copy of itself in the Windows Startup folder to ensure execution upon every system restart. It employs advanced obfuscation techniques to evade detection by antivirus software, hiding its malicious code within processes recognized as legitimate by the operating system. The keylogger primarily spreads through sophisticated phishing attacks.

Winsage

February 19, 2025

Snake Keylogger Variant Hits Windows, Steals Data via Telegram Bots

Cybersecurity experts at FortiGuard Labs have identified a new variant of the Snake Keylogger, known as AutoIt/Injector.GTY!tr, which targets Windows users and has blocked over 280 million infection attempts worldwide, particularly in China, Turkey, Indonesia, Taiwan, and Spain. The malware spreads primarily through phishing emails with malicious attachments or links and focuses on popular web browsers to steal sensitive information by logging keystrokes, capturing credentials, and monitoring clipboard activity. It exfiltrates data to its command-and-control server via email and Telegram bots. The malware uses AutoIt scripting to create standalone executables that evade antivirus detection. It installs itself by dropping "ageless.exe" in the %Local_AppData%supergroup folder and "ageless.vbs" in the %Startup% folder to ensure persistence. The malware employs process hollowing to inject its payload into a legitimate .NET process, allowing it to hide from detection. Additionally, the Snake Keylogger can retrieve the victim’s geolocation and extract sensitive information from browser autofill systems, including credit card details. It utilizes various techniques for data collection, credential access, defense evasion, and exfiltration, posing a significant threat to Windows users.

Winsage

February 19, 2025

New Snake Keylogger infects Windows using AutoIt freeware

A new variant of the Snake Keylogger is targeting Windows users in Asia and Europe, utilizing the AutoIt scripting language for deployment to evade detection. This malware, built on the Microsoft .NET framework, infiltrates systems through spam email attachments, logging keystrokes, capturing screenshots, and collecting clipboard data to steal sensitive information like usernames, passwords, and credit card details from browsers such as Chrome, Edge, and Firefox. The keylogger transmits stolen data to its command-and-control server using methods like SMTP email, Telegram bots, and HTTP POST requests. The executable file is an AutoIt-compiled binary that unpacks and executes the keylogger upon opening. The keylogger replicates itself in the %Local_AppData%supergroup directory as ageless[.]exe and places a file named ageless[.]vbs in the Startup folder to ensure it runs automatically on system reboot. This persistence mechanism allows continued access to the infected machine without requiring administrative privileges. Once activated, the keylogger injects its payload into a legitimate .NET process, specifically targeting RegSvcs.exe through process hollowing. It logs keystrokes using the SetWindowsHookEx API with a low-level keyboard hook, capturing sensitive information. Additionally, it retrieves the victim's public IP address by pinging hxxp://checkip[.]dyndns[.]org for geolocation purposes.