Summary

FMI Intelligence Teams came across a blog published by Fortinet highlighting a new variant of the Snake Keylogger (also known as 404 Keylogger), detected through FortiSandbox v5.0 (FSAv5). This malware, identified as AutoIt/Injector.GTY!tr, has been responsible for over 280 million blocked infection attempts, highlighting its extensive reach across regions. The majority of these detections have been concentrated in China, Turkey, Indonesia, Taiwan, and Spain, suggesting a significant impact in these areas. This high volume of detections underscores the malware’s ongoing global threat and its potential to affect organizations and users worldwide. The recent surge in activity also highlights the continuous evolution of keylogger malware and the need for advanced detection mechanisms.

Typically delivered through phishing emails containing malicious attachments or links, Snake Keylogger is designed to steal sensitive information from popular web browsers like Chrome, Edge, and Firefox by logging keystrokes, capturing credentials, and monitoring the clipboard. In addition to data theft, Snake Keylogger exfiltrated the stolen information to its command-and-control (C2) server using SMTP (email) and Telegram bots, allowing attackers to access stolen credentials and other sensitive data.

Analysis in FSAv5 Overview

The AI engine in FSAv5 provides detailed static analysis, uncovering obfuscated strings and embedded APIs responsible for keylogging and credential harvesting. Additionally, FSAv5’s dynamic analysis capabilities captured the keylogger’s runtime behavior, including processes launched by the malware and the establishment of network connections to its command-and-control (C2) server. These insights revealed Snake Keylogger’s ability to exfiltrate stolen data while avoiding traditional detection mechanisms.

This new variant of Snake Keylogger employs AutoIt, a scripting language commonly used for automating tasks in the Windows environment, to deliver and execute its malicious payload. AutoIt is often leveraged by threat actors due to its versatility and ability to generate standalone executables that can bypass traditional antivirus solutions. In this variant of Snake Keylogger, the executable is an AutoIt-compiled binary, which adds an additional layer of obfuscation to hinder detection and analysis. The use of AutoIt not only complicates static analysis by embedding the payload within the compiled script but also enables dynamic behavior that mimics benign automation tools. Figure 5 shows the AutoIt encrypted script used for compiling the binary. The AI in FSAv5 identified these embedded malicious strings and API calls.

Upon execution, Snake Keylogger drops a copy of itself to the %Local_AppData%\supergroup folder under “ageless.exe,” setting its attributes to hidden. Once established in this directory, it drops another file into the %Startup% folder, named ageless.vbs. This script contains a command that utilizes WScript.Shell() to call the Run () method, executing ageless.exe and ensuring the malware runs automatically upon system startup. The ageless.vbs script, as captured and backed up by FSAv5 for analysis, is shown in Figure 4.

Snake Keylogger copies the ageless.vbs file into the Startup folder as a persistence mechanism, ensuring that it automatically executes each time the infected system reboots. This method is commonly used because the Windows Startup folder allows scripts, executables, or shortcuts to run without required administrative privileges. By leveraging this technique, Snake Keylogger can maintain access to the compromised system and re-establish a foothold even if the malicious process is terminated. Figure 5 illustrates an indicator of Snake Keylogger employing this persistence method. Additionally, Figure 6 shows a screenshot of the ageless.vbs file placed in the Startup folder.

After the execution of ageless.exe, the malware injects its malicious payload into a legitimate .NET process. The observed sample targets the RegSvcs.exe process using a technique known as process hollowing, which allows the malware to execute its code within a trusted process to evade detection. Process hollowing works by first spawning RegSvcs.exe in a suspended state, preventing it from executing its legitimate code. Next, the malware deallocates the original code section and allocates new memory space within the hollowed process. Finally, it writes its malicious payload into the newly allocated space. When the process resumes, RegSvcs.exe executes the injected malicious code. This method allows the malware to conceal its presence, making it significantly harder for traditional security tools to detect and remove. By embedding itself within a trusted process, Snake Keylogger can operate undetected and continue its malicious activities. Figure 5 shows an indicator with its corresponding risk score, highlighting the severity of the threat.

Another FSAv5 indicator that provides valuable insights into the malware’s capabilities is its ability to detect when the folder storing browser-related login credentials and other sensitive data is accessed, as shown in Figure 8. This indicator offers critical clues about the malware’s intent and behavior, highlighting its potential to compromise user data.

Snake Keylogger leverages various techniques to exfiltrate stolen credentials and gather additional information about the victim. One such method involves using websites like hxxp://checkip[.]dyndns[.]org to retrieve the victim’s geolocation, further enhancing its reconnaissance capabilities. Additionally, Snake Keylogger uploads stolen credentials through several channels, including SMTP and Telegram bots, using HTTP Post requests to securely transmit the data to its command-and-control server, as shown in Figure 9.

The FortiSandbox research team analyzed the malware through reverse engineering and dynamic sandbox analysis, revealing the full scope of its malicious capabilities. Figures 10 and 11 show that the malware employs specialized modules to steal sensitive data from browser autofill systems, including credit card details. To capture keystrokes, it leverages the SetWindowsHookEx API with the first parameter set to WH_KEYBOARD_LL (flag 13), a low-level keyboard hook that monitors keystrokes (see Figure 14). This technique allows the malware to log sensitive input such as banking credentials.

Threat Hunting Rules