Snake creeps to you: disassembling a new keylogger

At the end of last year, CERT-GIB analysts got a curious sample of malware – Snake keylogger… Although in fairness, we note that the object under study was more of a stealer, since KeyLogger is only part of its functionality, which is responsible for logging keystrokes on the keyboard. “Caught” was this instance not in its pure form, but already encrypted cryptor Cassandra, which we wrote about recently. At the first glance at Snake Keylogger, it seemed that it was in beta testing, since many functions were inactive and entries from the configuration file were not used anywhere. What happened in reality, how this malicious program works, how it penetrates the victim’s device and what protection mechanisms it uses, says Alexey Chekhov, analyst at CERT-GIB.

Spread

Snake Keylogger is distributed through the official website, Telegram and Discord. At the moment, none of these communication sources are available, but this does not prevent cybercriminals from using malware in their attacks.

Fixing in the system (inactive in the sample under study)

Implemented trivially: Snake adds itself to autorun by changing the registry key:

HKCUsoftwaremicrosoftwindowscurrentversionrun

Config file

Extension for files with logs

.txt

Keylogger log sending interval in seconds

100

Screenlogger log sending interval in seconds

100

Clipboard log sending interval in seconds

100

clprEPs

Not used

kLLTIm

Not used

TPSSends

Not used

ProHfutimer

Not used

CnC type

$% SMTPDV $

HSHChecker

Not used

Bot ID

ZyiAEnXWZP

Cnc

Depending on the option selected in the configuration file, there are three options for interacting with CnC:

  1. FTP

    When transferring via FTP, a file with the name: {Имя компьютера}{Тип данных}{ID жертвы}{Расширение файла}

    The data is not encrypted.

    The victim ID is formed as follows: the first part is specified in the configuration file, and the second part is a randomly generated 4-byte number.

  2. SMTP

    When sending via SMTP, a message of the following format will be generated:

    Тема:  Pc Name: {Имя пользователя} | Snake Keylogger

    Тело письма: {Тип данных} | {Имя пользователя} | Snakern{Информация о системе}"rnrn"

    Вложение: {Тип данных}.{Расширение}

    All data is sent as an attachment. There is no encryption.

  3. Telegram

    The data is transferred as an attached file.

    Malicious functionality.

    Log file attachments have the following format:

    The very frequent mention of the name of the malware looks rather strange in the logs.

Keylogger

The malware installs its own handler for keypress events on the keyboard. Logging is done as follows:

Backspace, Delete, End, F1-F11

Not recorded

F12

[F12]

TAB

[TAP]

ENTER

[Entr]

SPACE

Another key

Uppercase or lowercase character depending on the position of the Shift and Caps Lock keys

After a certain period of time, the collected data is sent to the CnC. If sending is unsuccessful, the buffer for storing the log is not cleared. An interesting feature is that the malware deletes the cookies of the Chrome and Firefox browsers, as well as data from the general cookie repository in the system. This action, presumably, is performed so that the user has to re-enter accounts on various services – in this case, the data will be intercepted using a keylogger.

ScreenLogger

The configuration file sets the time interval after which the screenshot will be taken. By default, this is 100 seconds. When the screenshot is taken, it is saved to the {My Documents} SnakeKeylogger folder with the name Screenshot.png. Then an attempt is made to send the file. The file will be deleted with any result of sending.

Stealer

The malware can download passwords from the following applications:

Browsers

Mail clients

Messengers

7Star

Thunderbird

Discord

Amigo

PostBox

Pidgin

Avast

Foxmail

BlackHawk

Outlook

Blisk

Brave

Cent

FTP clients:

Chedot

FileZilla

Chrome

Chrome_Canary

Chromium

Citrio

CocCoc

Comodo

CoolNovo

Coowon

Elements

Epic

Falkon

Ghost

Iridium

Iron

Kinzaa

Kometa

Liebao

Microsoft

Nichrome

Opera

Torbitum

QIPSurf

QQ

SalamWeb

Sleipnir

Slimjet

Sputnik

Superbird

Torch

UC

Uran

Vivaldi

Xpom

xVast

Yandex

CyberFox

Firefox

IceCat

IceDragon

Palemoon

Slim

WaterFox

Counteraction to Analysis

Anti-VM

The anti-virtualization mechanism is implemented trivially:

  • Search for processes specific to virtual machines.

  • Check for the presence of files specific to virtual machines.

  • Checking processes for the presence of special software, including for analysis.

Anti-Sandbox (inactive)

The method that implements the Anti-Sandbox functionality detects the victim’s IP address and checks it against hardcoded IP addresses, some of which refer to the addresses of free VPN services. It also checks the hostname against typical honeypots. If there is a match, the process ends.

Other

To encrypt strings, attackers use the open-source obfuscator Obfuscar. Also, BedsProtector is used to protect against static and dynamic analysis. In the sample under study, two protection functions were applied:

  1. The first is the so-called AntiTamper. This function allows you to decrypt the program code after its launch, which makes static analysis of the main part of the program impossible.

  2. The second function checks for the presence of a set system variable COR_ENABLE_PROFILINGwhich allows you to check if the CLR is connected to the profiler.


In this article, we have analyzed new and rather controversial malware. On the one hand, there is nothing outstanding in this keylogger: it is similar to other representatives of .net keyloggers, for example, 404Keylogger, which we wrote about earlier. On the other hand, the use of various cryptors, protectors, obfuscators, even open-source, makes it possible to use such software in attacks and complicate its analysis somewhat.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *