AhnLab Security Intelligence Center reports SnakeKeylogger, a .NET infostealer distributed via phishing emails with executable attachments, capable of exfiltrating data through multiple channels including SMTP, FTP, and Telegram. The malware is built from an obfuscated AutoIt loader and two binaries, and can inject into legitimate processes to evade detection. #SnakeKeylogger #AhnLab #Phishing
Keypoints
- SnakeKeylogger is an Infostealer-type malware.
- It is distributed via phishing emails with executable attachments.
- The malware is composed of an obfuscated AutoIt script and two binary files.
- Data exfiltration methods include SMTP, FTP, and Telegram.
- The malware can inject itself into legitimate processes to avoid detection.
- Exfiltrated data includes login credentials, web data, and more from various applications.
- Threat actors can customize the SnakeKeylogger to include or exclude features.
MITRE Techniques
- [T1566] Phishing β Distributes malware through phishing emails with malicious attachments. Quote: βThe initial distribution is typically done in the form of an email, as shown in Figure 1. It grabs the attention of recipients with relatively sensitive topics such as financial matters and prompts them to run the attached executable file (BankTran.exe).β
- [T1027] Obfuscated/Compressed Files and Information β The AutoIt script is highly obfuscated. Quote: βThe AutoIt script is highly obfuscated, but the strings identified through the decryption logic are shown below.β
- [T1055] Process Injection β Injects the SnakeKeylogger malware into legitimate processes to evade detection. Quote: βShellCode is responsible for injecting the SnakeKeylogger malware into legitimate processes.β
- [T1003] Credential Dumping β Exfiltrates account credentials from various applications including browsers and email clients. Quote: βExfiltrates account credentials from various applications including browsers and email clients.β
- [T1041] Exfiltration Over Command and Control Channel β Sends exfiltrated data via SMTP to the threat actor. Quote: βThe above user information that is exfiltrated is sent to the threat actor via SMTP.β
Indicators of Compromise
- [MD5] context β example1, example2, and other N items (if applicable)
- [URL] http[:]//mail[.]tradolgt[.]com[:]587/ β Exfiltration/Command and Control URL observed in the article
- [File Name] BankTran.exe, teres, and quinquenniad β Executables involved in the loader/injector chain
Read more: https://asec.ahnlab.com/en/82172/