Snake Keylogger slithers into Windows, evades detection with AutoIt-compiled payload – Source: go.theregister.com

A new variant of Snake Keylogger is making the rounds, primarily hitting Windows users across Asia and Europe. This strain also uses the BASIC-like scripting language AutoIt to deploy itself, adding an extra layer of obfuscation to help it slip past detection.

Snake Keylogger is a Microsoft .NET-based data stealer. As with earlier versions of the malware, once this software nasty gets onto a victim’s PC, typically as an attachment to a spam email, this variant logs keystrokes, captures screenshots of the desktop, and collects clipboard data to steal credentials, credit card details, and other sensitive data. The keystrokes can include usernames and passwords typed into browsers Chrome, Edge, and Firefox.

After slurping up this info, Snake Keylogger funnels the loot to its command-and-control server using SMTP email, Telegram bots, and HTTP POST requests.

According to Fortinet’s malware hunters, the new variant’s executable file is an AutoIt-compiled binary, designed to unpack and run the keylogger when opened. To us, it appears someone’s taken the core malware as a payload and wrapped it in a self-contained AutoIt binary.

AutoIt is a freeware scripting language used to automate tasks on Windows systems. It is popular among cybercriminals because it can generate standalone executables, some of which evade traditional antivirus solutions.

“The use of AutoIt not only complicates static analysis by embedding the payload within the compiled script but also enables dynamic behavior that mimics benign automation tools,” FortiGuard Labs malware analyst Kevin Su said in a Tuesday alert.

Once executed, the keylogging malware copies itself to the %Local_AppData%supergroup folder, names itself ageless[.]exe, and sets its attributes to hidden. 

It also drops another file, ageless[.]vbs, into the Startup folder, and this one contains a command to run Snake Keylogger automatically when the system reboots, which means the malware — and the attacker — can maintain persistence on the infected computer.

“This method is commonly used because the Windows Startup folder allows scripts, executables, or shortcuts to run without required administrative privileges,” Su noted. “By leveraging this technique, Snake Keylogger can maintain access to the compromised system and re-establish a foothold even if the malicious process is terminated.”

After executing ageless[.]exe, the keylogger injects its payload into a legitimate .NET process. 

• Sneaky SnakeKeylogger slithers into Windows inboxes to steal sensitive secrets
• Beware of fake CrowdStrike domains pumping out Lumma infostealing malware
• XCSSET macOS malware returns with first new version since 2022
• If you dread a Microsoft Teams invite, just wait until it turns out to be a Russian phish

In the malware sample analyzed by FortiGuard Labs, it targets RegSvcs.exe using process hollowing – a technique in which the malware spawns the process in a suspended state, prevents it from running its legitimate code, and replaces it with malicious instructions to evade detection.

Then it gets to work logging keystrokes and performing other nefarious activities. 

It uses the SetWindowsHookEx API with the first parameter set to WH_KEYBOARD_LL, a low-level keyboard hook, to monitor and capture keystrokes, which also allows it to collect banking credentials and other sensitive information.

Snake Keylogger has multiple ways to exfiltrate stolen credentials and spy on its victims. One method involves pinging hxxp://checkip[.]dyndns[.]org to fetch the victim’s public IP address, which can be used for rough geolocation. ®