Comprehensive Examination of the Latest Snake Keylogger Variant | FortiGuard Labs

MITRE Techniques

• [T1566] Phishing – Uses phishing emails to deliver malicious Excel documents. “The email content in Figure 1 attempts to deceive the recipient into opening the attached Excel file (swift copy.xls) by claiming that funds have been transferred into their account.”
• [T1203] Exploitation for Client Execution – Exploits CVE-2017-0199 to download a malicious file. “The link is “hxxp[:]//192.3.176[.]138/xampp/zoom/107.hta”.
• [T1027] Obfuscated/Compressed Files and Information – Core modules are obfuscated/encrypted within resources. “the attacker has fully obfuscated the entire module, which displays its entry point (‘Main()’) and the obfuscated code.”
• [T1059] Command and Scripting Interpreter – Uses VBScript to run PowerShell code decoded from a base64 string and executed via cmd.exe. “PowerShell code is then executed by ‘cmd.exe’ (%ComSpec%) when the ‘shellObj.Run()’ function is called.”
• [T1053] Scheduled Task – Creates a scheduled task to persist at startup. “The Deploy module runs the ‘schetasks.exe’ command to create a new scheduled task in the system Task Scheduler.”
• [T1093] Process Hollowing – Uses process hollowing to run the core module inside a suspended process. “The Deploy module performs process hollowing… to run.”
• [T1041] Data Exfiltration – Sends collected credentials to the attacker via SMTP. “sends data to the attacker via SMTP.”