National Cyber Warfare Foundation (NCWF) Forums


.NET-based Snake Keylogger Attack Windows Using Weaponized Excel Documents


0 user ratings
2024-08-30 09:38:08
milo
Red Team (CNA)

Researchers uncovered a sophisticated phishing campaign that exploits a .NET-based Snake Keylogger variant. This attack leverages weaponized Excel documents to infiltrate Windows systems, posing significant threats to user data security. This article delves into the mechanics of the attack, the techniques employed by the malware, and the implications for users and organizations. Understanding Snake Keylogger […]


The post .NET-based Snake Keylogger Attack Windows Using Weaponized Excel Documents appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.



Researchers uncovered a sophisticated phishing campaign that exploits a .NET-based Snake Keylogger variant.





This attack leverages weaponized Excel documents to infiltrate Windows systems, posing significant threats to user data security.





This article delves into the mechanics of the attack, the techniques employed by the malware, and the implications for users and organizations.





Understanding Snake Keylogger





Snake Keylogger, also known as “404 Keylogger” or “KrakenKeylogger,” is a notorious malware initially distributed on hacker forums as a subscription-based service.





This .NET-based software is designed to steal sensitive data, including saved credentials from web browsers, clipboard content, and basic device information.





It can also log keystrokes and capture screenshots, making it a potent tool for cybercriminals.





The Phishing Email





Fortinet’s FortiGuard Labs reported that the attack begins with a phishing email that attempts to deceive recipients into opening an attached Excel file named “swift copy.xls.”





The email claims that funds have been transferred into the recipient’s account, a common tactic to lure victims into action.





FortiGuard services mark these emails with a “[virus detected]” warning in the subject line, but unsuspecting users may still fall for the trap.





The phishing email attempts to deceive the recipient into opening the attached Excel file
The phishing email attempts to deceive the recipient into opening the attached Excel file




The Malicious Excel Document





Upon opening the Excel file, malicious code is executed in the background. The document contains a specially crafted embedded link object that exploits the CVE-2017-0199 vulnerability to download additional malicious files.





This process is covert, with the Excel program secretly requesting a URL that leads to further malware downloads.





Malicious Excel Document
Malicious Excel Document




The attack chain continues by downloading an HTML Application (HTA) file, executed by the Windows application host (mshta.exe).





This file contains obfuscated JavaScript code that, once decoded, reveals VBScript and PowerShell scripts.





These scripts are responsible for downloading and executing the Snake Keylogger’s loader module, a critical attack component.





The Loader Module





The downloaded executable file, the Loader module, is developed using the Microsoft .NET Framework.





It employs multiple-layer protection techniques, including transformation and encryption, to evade detection by cybersecurity products.





The Loader module extracts and decrypts several components from its resource section, essential for deploying the core Snake Keylogger module.





Loader Module Analysis
Loader Module Analysis




Deploy Module and Persistence





The Deploy module, extracted from the Loader, ensures Snake Keylogger’s persistence on the victim’s system.





It renames the Loader module file, sets it as hidden and read-only, and creates a scheduled task in the system Task Scheduler to launch at startup.





This module also performs process hollowing, a technique that allows the malware to hide its operations by injecting malicious code into a new process.





Scheduled Task for Snake Keylogger
Scheduled Task for Snake Keylogger




The Snake Keylogger attack highlights the evolving tactics of cybercriminals and the importance of robust cybersecurity measures.





Users and organizations must remain vigilant, employing updated antivirus software and exercising caution with email attachments.





Awareness and education are crucial in preventing sophisticated attacks from compromising sensitive data.





Snake Keylogger Summary
Snake Keylogger Summary




The .NET-based Snake Keylogger attack via weaponized Excel documents represents a significant threat to Windows users.





By understanding the attack’s mechanics and employing proactive security measures, individuals and organizations can better protect themselves against this and similar cyber threats.





IOCs





URLs





hxxp://urlty[.]co/byPCO
hxxp[:]//192.3.176[.]138/xampp/zoom/107.hta
hxxp[:]//192.3.176[.]138/107/sahost.exe





Relevant Sample SHA-256





[swift copy.xls]
8406A1D7A33B3549DD44F551E5A68392F85B5EF9CF8F9F3DB68BD7E02D1EABA7





[107.hta]
6F6A660CE89F6EA5BBE532921DDC4AA17BCD3F2524AA2461D4BE265C9E7328B9





[The Loader module/sahost.exe / WeENKtk.exe / utGw.exe]
484E5A871AD69D6B214A31A3B7F8CFCED71BA7A07E62205A90515F350CC0F723





[Snake Keylogger core module / lfwhUWZlmFnGhDYPudAJ.exe]
207DD751868995754F8C1223C08F28633B47629F78FAAF70A3B931459EE60714





Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial


The post .NET-based Snake Keylogger Attack Windows Using Weaponized Excel Documents appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.



Source: gbHackers
Source Link: https://gbhackers.com/net-based-snake-keylogger-attack/


Comments
new comment
Nobody has commented yet. Will you be the first?
 
Forum
Red Team (CNA)



Copyright 2012 through 2024 - National Cyber Warfare Foundation - All rights reserved worldwide.