The New Snake Keylogger variant targets Windows users via phishing emails, using AutoIt for stealth. Learn how it steals credentials and evades detection.
Cybersecurity researchers at FortiGuard Labs have discovered a new variant of the Snake Keylogger, also known as the 404 Keylogger, targeting Windows users. As per their research, shared with Hackread.com, this malware is designated AutoIt/Injector.GTY!tr, and has been linked to over 280 million blocked infection attempts globally, primarily concentrated in China, Turkey, Indonesia, Taiwan, and Spain.
Researchers note that this Snake Keylogger variant typically spreads through phishing emails containing malicious attachments or links. It targets popular web browsers like Chrome, Edge, and Firefox, stealing sensitive information such as credentials and data by logging keystrokes, capturing credentials, and monitoring the clipboard. The stolen data is then exfiltrated to its command-and-control (C2) server via email (SMTP) and Telegram bots.
According to FortiGuard Labs’ technical report, the malware employs AutoIt, a scripting language frequently used for Windows automation, to deliver and execute its malicious payload. AutoIt can create standalone executables that can bypass standard antivirus solutions whereas AutoIt-compiled binary adds a layer of obfuscation, making detection and analysis more challenging.
The graph shows the fluctuating activity levels of AutoIt/Injector.GTY detections, suggesting potential campaigns between 1 Jan-12 Feb 2025. It is important to note that this graph represents detected instances, and the actual number of infections could be higher.
During the attack, the malware drops a copy of itself as “ageless.exe” in the %Local_AppData%\supergroup folder with hidden attributes and places “ageless.vbs” in the %Startup% folder. This script uses WScript.Shell() to run “ageless.exe” upon system startup, ensuring persistence. This method is commonly used because the Windows Startup folder allows scripts to run without administrative privileges.
After executing “ageless.exe,” the malware injects its malicious payload into a legitimate .NET process, “RegSvcs.exe,” using process hollowing, which involves suspending “RegSvcs.exe,” deallocating its original code, allocating new memory, and injecting the malicious payload. Upon resuming, the process executes the injected code, allowing the malware to hide within a trusted process, evading detection.
Snake Keylogger retrieves the victim’s geolocation using websites like checkipdyndnsorg and exfiltrates stolen credentials via SMTP and Telegram bots using HTTP Post requests. Moreover, the malware can detect access to folders containing browser login credentials and other sensitive data. It uses modules to steal data from browser autofill systems, including credit card details and captures keystrokes using the SetWindowsHookEx API with the WH_KEYBOARD_LL flag, allowing it to log sensitive input.
The image shows the various techniques Snake Keylogger employs during the attack, including Collection, Credential Access, Defense Evasion, Exfiltration, Lateral Movement, Privilege Escalation, Reconnaissance, and Resource Development, etc. providing a concise overview of the diverse malicious capabilities of the Snake Keylogger.
This is a sophisticated, feature-rich variant, and a threat to Windows users worldwide. Organizations and individuals use a combination of advanced threat protection and proactive security measures to defend against this and other emerging keylogger threats.
