‘Snake Keylogger’ Invoice Breaches Confidential Data By Hiding in ISO Files
“A specialized invoice, ‘Snake Keylogger, ‘ is being used to steal confidential information, which also hides itself in ISO Files.”
Companies’ financial caution is being exploited by a recently discovered information-stealing effort that uses skillfully written phishing emails to install the hazardous Snake Keylogger malware.
By using a straightforward but powerful social engineering technique, passing off the malware as necessary remittance paperwork from well-known companies security analysts have shown how the attackers are effectively breaking into company networks.
The Phishing Trick: An Illusory “Remittance”
A targeted email that imitates a typical payment notification or remittance advice from reputable corporate services like CPA Global or Clarivate serves as the attack’s first vector.
The emails encourage recipients to download an attached file and are labeled similarly to “remittance advice for the payment dated….” Importantly, these files come in the form of an ISO disk image or, more covertly, a zipped ZIP bundle.
An initial tier of defense evasion is provided by the use of the ISO container, a technique created especially to get around outdated security systems that might only be able to scan conventional ZIP files. The infection cycle starts when a user tries to open the fraudulent payment document.
Using PowerShell to Get Past Defenses
The malicious BAT script that is concealed in the ISO or ZIP file is not a payment document. This script invokes PowerShell, the built-in Windows administration tool, in a stealthy manner when it runs.
The script downloads the main Snake Keylogger payload, often known as loader.exe, using a specific command and executes it in a manner that reduces the number of visible indicators on the victim’s screen.
The malware’s little executable then makes use of advanced Windows capabilities, like inserting its code into processes that are actually operating, like explorer.exe or svchost.exe. By blending in with regular system operations, this process injection technique makes it more difficult for traditional endpoint security tools to identify the keylogger.
Credential Capture and the “SysUpdate” Gambit
The Snake Keylogger starts collecting sensitive data as soon as it is turned on. In order to record important data, such as session tokens, login credentials, and keystrokes, it connects to browser processes and keylogging systems.
To make the exfiltration traffic seem innocent, the stolen data is compressed before being sent back to the attacker’s server, also referred to as the command-and-control (C2) endpoint, via ordinary HTTP POST requests.
The infection also creates persistence to guarantee a sustained presence. Every hour, the keylogger is automatically relaunched by a scheduled procedure called “SysUpdate.” Even if a user or security system tries to stop the rogue process, this method ensures that the malicious software will restart.
Defending Against the Bite of the Serpent
Organizations are being urged by security experts to act quickly to lessen this threat. User awareness training is the first line of protection; in particular, all emails pertaining to payments should be carefully examined, despite of the sender’s apparent validity.
Technically, companies should improve logging to identify anomalous process injection activity and implement strict attachment-sandboxing regulations, especially for ISO files. It is crucial to keep an eye on the particular Indicators of Compromise (IoCs), such as the malicious domains, the distinct file hashes, and the scheduled procedure named “SysUpdate.”
Data loss can be avoided and the attack chain broken by blocking these indicators at the network perimeter and endpoint.
Read More
ChaosBot, New Rust-Based Malware Uses Discord Channels to Access Victims’ PCs
About Author
English