The programs inside this folder are started when Windows starts. As we all know, a Windows system has a “Startup” folder inside the “Start Menu”. Next, it works to make this Snake Keylogger persistent on the infected Windows. Again, for the same reason as before, it sleeps 35 seconds at the beginning of this function to bypass some malware analysis systems. The full name of the export function “G6doICqoMU()” is “Huzeigtmvaplpinhoo!6doICqoMU()”. This creates trouble for analysts when analyzing it. As you can see, to prevent its code from being analyzed the file is obfuscated so that the class names, function names, and variable names are all randomly generated meaningless strings. I will explain in detail how it performs these functions in this section.įigure 3.1 shows an outline of the decrypted Dll module (“Huzeigtmvaplpinhoo.dll”). It extracts an executable PE file into memory from the Resource directory and then performs process hollowing that injects the executable PE file into a newly created child process and executes it. Snake Keylogger InstallerĪccording to my analysis, the decrypted Dll module (“Huzeigtmvaplpinhoo.dll”) deploys Snake Keylogger onto a victim’s device and sets it as an auto-run program. Let’s dive into this module to see how it performs its tasks. Net Dll is a dropper and installer of Snake Keylogger. Net Dll file, called “Huzeigtmvaplpinhoo.dll”), and enumerates its export functions to find "G6doICqoMU()", which is invoked by executing “type.InvokeMember(\"G6doICqoMU\", BindingFlags.InvokeMethod, null, null, null)” in function Consturctor(), as shown in Figure 2.1. It then proceeds to load the decrypted Dll module (a. Next, it calls “ToRc()” function to RC4 decrypt it using a decryption key "Dllzjn". It then invokes another function “Program.List_Types()”, where it downloads Snake Keylogger module from the link “hxxps//store2gofileio/download/0283e6ba-afc6-4dcb-b2f4-3173d666e2c4/Huzeigtmvaplpinhoo.dll”, which is a RC4 encrypted DLL file. Twenty one seconds later, the downloader then invokes a function called “Consturctor()”, as you can see in Figure 2.1. It displays a vague picture of a document and asks the victim to click the yellow button to get a clearer image. Figure 1.1 shows a screenshot of when it is opened. This Excel sample, delivered as an attachment in a phishing email, contains malicious Macro VBA code. What the Captured Microsoft Excel Sample Looks Like Impact: Collects sensitive information from victims’ device In this threat research blog you will learn how the Snake Keylogger variant is downloaded and executed through a captured Excel sample, what techniques this variant uses to protect it from being analyzed, what sensitive information it steals from a victim’s machine, and how it submits that collected data to the attacker. In July, 2021, Snake Keylogger first entered into a TOP 10 popular malware families report, meaning that the Snake Keylogger family is increasing its influence and impacting more people’s devices and sensitive data. It first appeared in late 2020 and focused on stealing sensitive information from a victim’s device, including saved credentials, the victim’s keystrokes, screenshots of the victim’s screen, and clipboard data. Snake Keylogger is a malware developed using. After researching its behaviors, I recognized it as a fresh variant of the Snake Keylogger malware. If you switch to a keyboard that does not use the traditional layout, you can minimize the risk of potential keyloggers finding out anything useful.Fortinet’s FortiGuard Labs recently captured a Microsoft Excel sample from the wild that was used to spread malware. Most keyloggers rely on traditional QWERTY-based keyboard layouts for tracking purposes. Therefore, implementing 2FA significantly reduces the chances of a keylogger getting installed in your system. With two-factor authentication in place, access to the device, system, or resources is only given once two or more pieces of authentication mechanism are passed.Ĭybercriminals would need access to numerous devices if you activate 2FA, so opt for an authentication method that's through a different smartphone or tablet to the one you usually use to get into important accounts.ĢFA supplies one-time passwords whereas keyloggers depend on using the same passwords every time. Implementing two-factor authentication (2FA) is one decent way to add an extra layer of security before granting device access. However, there are five helpful ways that can keep you safe against these malicious keyloggers. Despite the fact that it's hard to spot keyloggers, there are ways to mitigate them before they get installed on your device. Being cautious is the biggest protection against keyloggers.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |