A new version of the Serpent Malware malware is being used to constantly targeted Windows customers located in China, Turkey, Indonesia, Taiwan, and Spain.
Over 280 million widespread illness attempts have been thwarted by the new edition of the trojan, according to Fortinet FortiGuard Labs, which started the season.
” Usually delivered through phishing emails containing destructive relationships or connections, Snake Keylogger is designed to steal sensitive information from popular web sites like Chrome, Edge, and Firefox by logging keystrokes, capturing credentials, and monitoring the clipboard”, security researcher Kevin Su .
With the help of the Simple Mail Transfer Protocol ( SMTP ) and Telegram bots, it’s also possible to use other features to extort the stolen data to an attacker-controlled server, allowing the threat actors to access the stolen credentials and other sensitive data.
The most notable aspect of the most recent set of attacks is that it uses AutoIt scripting to deliver and execute the main payload. In other words, the executable containing the malware is an AutoIt-compiled binary, thereby allowing it to bypass traditional detection mechanisms.
By encoding the payload into the compiled script, AutoIt makes for dynamic behavior that resembles benign automation tools, Su said.
Once launched, Snake Keylogger is designed to drop a copy of itself to a file named” ageless. exe “in the folder” % Local_AppData % supergroup. ” It also proceeds to drop another file called” ageless. “in the Windows Startup folder, such that every time the system reboots, the Visual Basic Script (VBS ) automatically launches the malware.”
Snake Keylogger is able to maintain access to the compromised system and resume its malicious activities even if the associated process is terminated by this persistence mechanism.
The attack chain culminates with the injection of the main payload into a legitimate .NET process such as” regsvcs. “using a method known as process hollowing, allowing the malware to hide within a trusted process and avoid detection,”
Snake Keylogger has also been discovered to use websites like checkip and log keystrokes. dyndns [. ] org to retrieve the victim’s IP address and geolocation.
” To capture keystrokes, it leverages the SetWindowsHookEx API with the first parameter set to WH_KEYBOARD_LL ( flag 13 ), a low-level keyboard hook that monitors keystrokes,” Su said”. This method enables malware to log sensitive data, such as banking credentials.
The development comes as CloudSEK revealed a campaign that is utilizing compromised infrastructure in educational institutions to distribute malicious LNK files disguised as PDF documents in order to use malware in the end.
The activity, targeting industries like finance, healthcare, technology, and media, is a multi-stage attack sequence that results in the theft of passwords, browser data, and cryptocurrency wallets.
Security researcher Mayank Sahariya that the campaign’s main infection vector is the use of malicious LNK ( shortcut ) files that are designed to appear as legitimate PDF documents. The files are hosted on a WebDAV server, which unsuspecting visitors are redirected to after visiting websites, according to security researcher Mayank Sahariya.
For its part, the LNK file runs a PowerShell command to connect to a distant server and retrieve the next-stage malware, an obfuscated JavaScript code that contains another PowerShell that downloads Lumma Stealer from the same server and executes it.
In recent weeks, stealer malware has been discovered spreading through to encrypt a variety of sensitive data from compromised Windows systems and entrust it to a Telegram bot run by the attacker.
The attack begins with an obfuscated JavaScript file that retrieves encoded strings from an open-source service to execute a PowerShell script, according to Cyfirma.
The script then downloads a JPG image and a text file from an IP address and a URL shortener, both of which contain malicious MZ DOS executables embedded using steganographic techniques. Once executed, these payloads deploy stealer malware.”