A new variant of the Snake KeyLogger malware is being used, and it actively targets Windows users in China, Turkey, Indonesia, Taiwan and Spain.
Fortinet Fortiguard Labs said the new version of the malware has lagged behind attempts to blocked infections of more than 280 million people worldwide since the beginning of the year.
“Snake KeyLogger, normally delivered via phishing emails containing malicious attachments and links, is popular in Chrome, Edge, Firefox and more by recording keystrokes, capturing qualifications and monitoring clipboards. It is designed to steal sensitive information from certain web browsers.
Other features allow threat actors to access stolen credentials and other sensitive data by using simple Mail Transfer Protocol (SMTP) and Telegram bots. I’ll do it. ”
What’s noteworthy about the latest attack set is the use of auto scripting language to deliver and execute the main payload. In other words, executables containing malware are car-compiled binary, allowing traditional detection mechanisms to be bypassed.
“Using a car not only complicates static analysis by embedding payloads in compiled scripts, but also allows for dynamic behavior that mimics benign automation tools,” Su added. .
Upon launching, Snake KeyLogger is designed to drop a copy of itself into “local_appdata%\supergroup” in a file named folder “Ageless.exe”. It also drops another file called “ageless.vbs” in the Windows Startup folder so Visual Basic Script (VBS) automatically launches the malware every time the system is restarted.
Through this persistence mechanism, Snake KeyLogger can maintain access to the compromised system and resume malicious activity even if the associated processes have ended.
Attack chains use a technique called process hollow to inject key payloads into legitimate .NET processes such as “Regsvcs.exe” to hide their presence within trusted processes and sidestep detection. I’ll allow it.
Snake KeyLogger has also been found to record and use keystrokes such as Checkip.dyndns.[.]An organization for obtaining victim IP addresses and geolocations.
“To capture keystrokes, we’re leveraging the setWindowshookex API. The first parameter is set to wh_keyboard_ll (flag 13), a low-level keyboard hook that monitors keystrokes,” Su says . “This technique allows malware to record sensitive inputs such as bank credentials.”
The development details a campaign in which CloudSek leverages the compromised infrastructure associated with educational institutions to ultimately deploy Lumma Stealer malware for malicious LNK files pose as PDF documents. Because I mentioned it.
The activities of target industries such as finance, healthcare, technology, and media are multi-stage attack sequences that result in the theft of passwords, browser data and cryptocurrency wallets.
“The campaign’s main infection vectors include the use of malicious LNK (shortcut) files created to display as legal PDF documents,” said security researcher Mayank Sahariya. Masu.
The LNK file runs a PowerShell command to connect to the remote server and retrieves the next stage of malware. This is obfuscated JavaScript code with another PowerShell that downloads and runs Lumma Stealer from the same server.
Over the past few weeks, steeler malware has been distributed via obfuscated JavaScript files, collecting a wide range of sensitive data from compromised Windows systems and extending it to telegraph bots running attackers.
“The attack starts with an obfuscated JavaScript file, which retrieves the encoded string from an open source service and runs the PowerShell script,” Cyfirma said.
“This script downloads JPG images and text files from IP addresses and URL shorteners. Both contain malicious MZ DOS executables embedded using steganography techniques.
Source link
