A new variant of the Snake Keylogger is currently circulating, with a particular focus on Windows users in Asia and Europe. This latest iteration employs the BASIC-like scripting language AutoIt to facilitate its deployment, adding an additional layer of obfuscation that aids in evading detection.
Technical Insights into Snake Keylogger
Snake Keylogger, built on the Microsoft .NET framework, serves as a data-stealing tool. Similar to its predecessors, this malware typically infiltrates a victim’s computer through spam email attachments. Once installed, it logs keystrokes, captures screenshots, and collects clipboard data, targeting sensitive information such as usernames, passwords, and credit card details entered in popular browsers like Chrome, Edge, and Firefox.
After harvesting this valuable data, the Snake Keylogger transmits the information to its command-and-control server via various methods, including SMTP email, Telegram bots, and HTTP POST requests.
According to Fortinet’s malware analysts, the executable file for this new variant is an AutoIt-compiled binary, designed to unpack and execute the keylogger upon opening. This approach appears to encapsulate the core malware as a payload within a self-contained AutoIt binary.
AutoIt, a freeware scripting language designed for task automation on Windows systems, has gained popularity among cybercriminals due to its ability to generate standalone executables that can sometimes bypass conventional antivirus solutions. Kevin Su, a malware analyst at FortiGuard Labs, noted, “The use of AutoIt not only complicates static analysis by embedding the payload within the compiled script but also enables dynamic behavior that mimics benign automation tools.”
Once activated, the keylogger replicates itself in the %Local_AppData%supergroup directory, adopting the name ageless[.]exe while setting its attributes to hidden. It also places another file, ageless[.]vbs, in the Startup folder, which contains a command to automatically run the Snake Keylogger upon system reboot. This persistence mechanism allows the malware—and its operator—to maintain access to the infected machine.
Su elaborated, “This method is commonly used because the Windows Startup folder permits scripts, executables, or shortcuts to run without requiring administrative privileges. By leveraging this technique, Snake Keylogger can sustain access to the compromised system and re-establish a foothold even if the malicious process is terminated.”
After executing ageless[.]exe, the keylogger injects its payload into a legitimate .NET process. In the sample analyzed by FortiGuard Labs, it specifically targets RegSvcs.exe using a technique known as process hollowing. This method involves spawning the process in a suspended state, halting its legitimate code, and replacing it with malicious instructions to avoid detection.
Once operational, the keylogger begins logging keystrokes and executing other malicious activities. It utilizes the SetWindowsHookEx API with the first parameter set to WHKEYBOARDLL, which is a low-level keyboard hook. This allows the malware to monitor and capture keystrokes, including banking credentials and other sensitive information.
Snake Keylogger employs multiple strategies to exfiltrate stolen credentials and surveil its victims. One such method involves pinging hxxp://checkip[.]dyndns[.]org to retrieve the victim’s public IP address, which can be leveraged for approximate geolocation.
