Snake creeps to you: disassembling a new keylogger
At the end of last year, CERT-GIB analysts got a curious sample of malware – Snake keylogger… Although in fairness, we note that the object under study was more of a stealer, since KeyLogger is only part of its functionality, which is responsible for logging keystrokes on the keyboard. “Caught” was this instance not in its pure form, but already encrypted cryptor Cassandra, which we wrote about recently. At the first glance at Snake Keylogger, it seemed that it was in beta testing, since many functions were inactive and entries from the configuration file were not used anywhere. What happened in reality, how this malicious program works, how it penetrates the victim’s device and what protection mechanisms it uses, says Alexey Chekhov, analyst at CERT-GIB.
Spread
Snake Keylogger is distributed through the official website, Telegram and Discord. At the moment, none of these communication sources are available, but this does not prevent cybercriminals from using malware in their attacks.
Fixing in the system (inactive in the sample under study)
Implemented trivially: Snake adds itself to autorun by changing the registry key:
HKCUsoftwaremicrosoftwindowscurrentversionrun
Config file
Extension for files with logs | .txt |
Keylogger log sending interval in seconds | 100 |
Screenlogger log sending interval in seconds | 100 |
Clipboard log sending interval in seconds | 100 |
clprEPs | Not used |
kLLTIm | Not used |
TPSSends | Not used |
ProHfutimer | Not used |
CnC type | $% SMTPDV $ |
HSHChecker | Not used |
Bot ID | ZyiAEnXWZP |
Cnc
Depending on the option selected in the configuration file, there are three options for interacting with CnC:
FTP
When transferring via FTP, a file with the name:
{Имя компьютера}{Тип данных}{ID жертвы}{Расширение файла}…The data is not encrypted.
The victim ID is formed as follows: the first part is specified in the configuration file, and the second part is a randomly generated 4-byte number.
SMTP
When sending via SMTP, a message of the following format will be generated:
Тема: Pc Name: {Имя пользователя} | Snake KeyloggerТело письма: {Тип данных} | {Имя пользователя} | Snakern{Информация о системе}"rnrn"Вложение: {Тип данных}.{Расширение}All data is sent as an attachment. There is no encryption.
Telegram
The data is transferred as an attached file.
Malicious functionality.
Log file attachments have the following format:
The very frequent mention of the name of the malware looks rather strange in the logs.
Keylogger
The malware installs its own handler for keypress events on the keyboard. Logging is done as follows:
Backspace, Delete, End, F1-F11 | Not recorded |
F12 | [F12] |
TAB | [TAP] |
ENTER | [Entr] |
SPACE | |
Another key | Uppercase or lowercase character depending on the position of the Shift and Caps Lock keys |
After a certain period of time, the collected data is sent to the CnC. If sending is unsuccessful, the buffer for storing the log is not cleared. An interesting feature is that the malware deletes the cookies of the Chrome and Firefox browsers, as well as data from the general cookie repository in the system. This action, presumably, is performed so that the user has to re-enter accounts on various services – in this case, the data will be intercepted using a keylogger.
ScreenLogger
The configuration file sets the time interval after which the screenshot will be taken. By default, this is 100 seconds. When the screenshot is taken, it is saved to the {My Documents} SnakeKeylogger folder with the name Screenshot.png. Then an attempt is made to send the file. The file will be deleted with any result of sending.
Stealer
The malware can download passwords from the following applications:
Browsers | Mail clients | Messengers |
7Star | Thunderbird | Discord |
Amigo | PostBox | Pidgin |
Avast | Foxmail | |
BlackHawk | Outlook | |
Blisk | ||
Brave | ||
Cent | FTP clients: | |
Chedot | FileZilla | |
Chrome | ||
Chrome_Canary | ||
Chromium | ||
Citrio | ||
CocCoc | ||
Comodo | ||
CoolNovo | ||
Coowon | ||
Elements | ||
Epic | ||
Falkon | ||
Ghost | ||
Iridium | ||
Iron | ||
Kinzaa | ||
Kometa | ||
Liebao | ||
Microsoft | ||
Nichrome | ||
Opera | ||
Torbitum | ||
QIPSurf | ||
SalamWeb | ||
Sleipnir | ||
Slimjet | ||
Sputnik | ||
Superbird | ||
Torch | ||
UC | ||
Uran | ||
Vivaldi | ||
Xpom | ||
xVast | ||
Yandex | ||
CyberFox | ||
Firefox | ||
IceCat | ||
IceDragon | ||
Palemoon | ||
Slim | ||
WaterFox |
Counteraction to Analysis
Anti-VM
The anti-virtualization mechanism is implemented trivially:
Search for processes specific to virtual machines.
Check for the presence of files specific to virtual machines.
Checking processes for the presence of special software, including for analysis.
Anti-Sandbox (inactive)
The method that implements the Anti-Sandbox functionality detects the victim’s IP address and checks it against hardcoded IP addresses, some of which refer to the addresses of free VPN services. It also checks the hostname against typical honeypots. If there is a match, the process ends.
Other
To encrypt strings, attackers use the open-source obfuscator Obfuscar. Also, BedsProtector is used to protect against static and dynamic analysis. In the sample under study, two protection functions were applied:
The first is the so-called AntiTamper. This function allows you to decrypt the program code after its launch, which makes static analysis of the main part of the program impossible.
The second function checks for the presence of a set system variable
COR_ENABLE_PROFILINGwhich allows you to check if the CLR is connected to the profiler.
In this article, we have analyzed new and rather controversial malware. On the one hand, there is nothing outstanding in this keylogger: it is similar to other representatives of .net keyloggers, for example, 404Keylogger, which we wrote about earlier. On the other hand, the use of various cryptors, protectors, obfuscators, even open-source, makes it possible to use such software in attacks and complicate its analysis somewhat.
