Cybersecurity experts at FortiGuard Labs have unveiled a concerning new variant of the Snake Keylogger, also referred to as the 404 Keylogger, specifically targeting Windows users. This malware, identified as AutoIt/Injector.GTY!tr, has been responsible for over 280 million blocked infection attempts globally, with significant activity noted in regions such as China, Turkey, Indonesia, Taiwan, and Spain.
Mechanisms of Infection
The Snake Keylogger variant primarily infiltrates systems through phishing emails that contain malicious attachments or links. Once activated, it focuses on popular web browsers, including Chrome, Edge, and Firefox, to pilfer sensitive information. The malware operates by logging keystrokes, capturing credentials, and monitoring clipboard activity, ultimately exfiltrating the stolen data to its command-and-control (C2) server via email (SMTP) and Telegram bots.
According to the technical report from FortiGuard Labs, the malware leverages AutoIt—a scripting language commonly utilized for Windows automation—to deliver and execute its harmful payload. By creating standalone executables, AutoIt enables the malware to circumvent standard antivirus defenses. The use of AutoIt-compiled binaries adds an additional layer of obfuscation, complicating detection and analysis efforts.
The accompanying graph illustrates the fluctuating activity levels of AutoIt/Injector.GTY detections, hinting at potential campaign activity between January 1 and February 12, 2025. It is crucial to recognize that the graph reflects detected instances, suggesting that the actual number of infections may be considerably higher.
Persistence and Evasion Techniques
Upon execution, the malware drops a copy of itself named “ageless.exe” in the %Local_AppData%supergroup folder, concealing its attributes. Additionally, it places “ageless.vbs” in the %Startup% folder, utilizing WScript.Shell() to ensure that “ageless.exe” runs at system startup. This technique is particularly effective, as scripts in the Windows Startup folder can operate without requiring administrative privileges.
Once “ageless.exe” is executed, the malware employs process hollowing to inject its malicious payload into a legitimate .NET process, “RegSvcs.exe.” This involves suspending the original process, deallocating its code, allocating new memory, and injecting the malicious payload. Upon resuming, the process executes the injected code, allowing the malware to conceal itself within a trusted process, thereby evading detection.
Data Exfiltration and Capabilities
The Snake Keylogger is adept at retrieving the victim’s geolocation through services like checkipdyndns.org and exfiltrating stolen credentials via SMTP and Telegram bots using HTTP Post requests. Furthermore, the malware can identify access to folders containing browser login credentials and other sensitive information. It employs modules designed to extract data from browser autofill systems, including credit card details, while capturing keystrokes through the SetWindowsHookEx API with the WHKEYBOARDLL flag, enabling it to log sensitive input effectively.
The image below summarizes the various techniques employed by the Snake Keylogger during its attacks, including Collection, Credential Access, Defense Evasion, Exfiltration, Lateral Movement, Privilege Escalation, Reconnaissance, and Resource Development, among others, providing a comprehensive overview of its diverse malicious capabilities.
This sophisticated and feature-rich variant poses a significant threat to Windows users globally. To combat this and other emerging keylogger threats, organizations and individuals are encouraged to implement a combination of advanced threat protection and proactive security measures.
