Fortinet Inc.
11/03/2021 | Press release | Distributed by Public on 11/04/2021 09:02
Deep Dive into a Fresh Variant of Snake Keylogger Malware
FortiGuard Labs Threat Research Report
Affected platforms: Microsoft Windows
Impacted parties: Windows Users
Impact: Collects sensitive information from victims' device
Severity level: Critical
Fortinet's FortiGuard Labs recently captured a Microsoft Excel sample from the wild that was used to spread malware. After researching its behaviors, I recognized it as a fresh variant of the Snake Keylogger malware.
Snake Keylogger is a malware developed using .NET. It first appeared in late 2020 and focused on stealing sensitive information from a victim's device, including saved credentials, the victim's keystrokes, screenshots of the victim's screen, and clipboard data.
In July, 2021, Snake Keylogger first entered into a TOP 10 popular malware families report, meaning that the Snake Keylogger family is increasing its influence and impacting more people's devices and sensitive data.
In this threat research blog you will learn how the Snake Keylogger variant is downloaded and executed through a captured Excel sample, what techniques this variant uses to protect it from being analyzed, what sensitive information it steals from a victim's machine, and how it submits that collected data to the attacker.
Here we go.
What the Captured Microsoft Excel Sample Looks Like
This Excel sample, delivered as an attachment in a phishing email, contains malicious Macro VBA code. Figure 1.1 shows a screenshot of when it is opened. It displays a vague picture of a document and asks the victim to click the yellow button to get a clearer image.