Phishing Emails Deliver Data-Stealing Snake Keylogger: Stay Vigilant

Recently, FortiGuard Labs, the research division of Fortinet, detected a new phishing campaign distributing malware via an attached Excel document. An in-depth analysis revealed that this document delivers a new version of Snake Keylogger, a perilous data-stealing software.

Snake Keylogger, also known as “404 Keylogger” or “KrakenKeylogger,” is a tool sold on hacker forums through a subscription model. Written in .NET, this software boasts a plethora of capabilities for harvesting sensitive information, including credentials from web browsers and other popular applications, clipboard contents, and basic system information. Snake Keylogger also can log keystrokes and capture screenshots.

The phishing attack begins with an email designed to deceive the recipient into opening the attached Excel file, titled “swift copy.xls.” The email falsely claims that funds have been credited to the user’s account, prompting them to open the file to verify the details. FortiGuard already identifies this email as a threat, marking it with the label “[virus detected].”

Upon opening the Excel file, the malicious code is activated, downloading and executing the new version of Snake Keylogger. The attackers exploit the CVE-2017-0199 vulnerability to download the malicious file through a concealed link within the document.

Once successfully deployed on the victim’s computer, Snake Keylogger ensures its stealth and persistence through the use of sophisticated encryption and obfuscation techniques. The software integrates itself into system processes, remaining undetected by antivirus solutions. The core functions of Snake Keylogger include gathering system information, stealing credentials from various applications, and transmitting this data to the attacker via email.

To safeguard devices and networks from such attacks, Fortinet advises regularly updating security software and undergoing cybersecurity training.