Threat Research

FortiSandbox 5.0 Detects Evolving Snake Keylogger Variant

Fortinet
FortiSandbox 5.0 Detects Evolving Snake Keylogger Variant

A new variant of the Snake Keylogger has been detected by FortiGuard Labs, utilizing malicious techniques to capture keystrokes and steal sensitive information from Windows users. The malware has been responsible for over 280 million blocked infection attempts, predominantly affecting users in China, Turkey, Indonesia, Taiwan, and Spain. With a high severity level, it employs advanced techniques to evade traditional security measures and exfiltrates stolen data through various channels. Affected: Windows users

Keypoints :

  • FortiGuard Labs detected a new variant of the Snake Keylogger (AutoIt/Injector.GTY!tr).
  • The malware has blocked over 280 million infection attempts, primarily affecting regions like China and Turkey.
  • It is delivered via phishing emails containing malicious attachments or links.
  • Snake Keylogger captures keystrokes and credentials from popular web browsers, exfiltrating data to its C2 server.
  • The malware employs techniques like process hollowing and persistent scripts to remain undetected.
  • FortiSandbox uses a machine learning engine, PAIX, for real-time detection and analysis of unknown threats.
  • Malware indicators enable identification and correlation with specific MITRE ATT&CK techniques.
  • FortiSandbox provides comprehensive malware analysis capabilities, including static and dynamic assessments.
  • Organizations are encouraged to undergo cybersecurity training to protect against phishing.

MITRE Techniques :

  • Credential Dumping (T1003): Captures and exfiltrates browser-related login credentials.
  • Process Hollowing (T1091): Injects malicious code into a legitimate .NET process (RegSvcs.exe).
  • Exfiltration Over Command and Control Channel (T1041): Exfiltrates data through SMTP and Telegram bots.
  • Persistence (T1547): Uses the Startup folder and ageless.vbs to maintain access upon system reboot.
  • Input Capture (T1056): Monitors keystrokes through the SetWindowsHookEx API.

Indicator of Compromise :

  • [C2 Server] http://51[.]38[.]247[.]67:8081/_send_php?L
  • [File] f8410bcd14256d6d355d7076a78c074f
  • [ageless.exe] f8410bcd14256d6d355d7076a78c074f
  • [ageless.vbs] 77f8db41b320c0ba463c1b9b259cfd1b

Full Story: https://feeds.fortinet.com/~/913256084/0/fortinet/blog/threat-research~FortiSandbox-Detects-Evolving-Snake-Keylogger-Variant

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint