Recently, Fortiguard Labs, the research unit of Fortinet, uncovered a new phishing campaign that is spreading malicious software through an Excel document attachment. The analysis conducted by Fortiguard revealed that this document contains a new version of Snake Keylogger, a dangerous software designed for data theft.
Snake Keylogger, also known as “404 Keylogger” or “Krakenkeylogger”, is a tool that is available for purchase in hacker forums on a subscription basis. This keylogger, coded in .NET, is capable of collecting sensitive information such as financial data from web browsers and other popular programs, clipboard contents, system information, keystrokes, and screenshots.
The phishing attack commences with an email that prompts the recipient to open an Excel file named Swift Copy.xls. The email falsely claims that funds have been received in the recipient’s account, urging them to review the details by opening the attached file. Fortiguard has identified this email as a threat and labeled it with a warning indicating a virus detection.
Upon opening the Excel file, a malicious code is triggered, leading to the download and execution of the new version of Snake Keylogger. The attackers exploit the CVE-2017-0199 vulnerability to covertly download the malicious file via a concealed link embedded in the document.
Once successfully deployed on the victim’s system, Snake Keylogger employs sophisticated encryption and obfuscation techniques to remain undetected and resilient. It camouflages its activities within system processes, eluding detection by antivirus solutions. The primary functionalities of Snake Keylogger encompass collecting system data, stealing financial information from various applications, and transmitting the acquired data to the attacker via email.
For safeguarding devices and networks against such attacks, Fortinet recommends the regular updating of protective software and undergoing cybersecurity training to enhance awareness and resilience against evolving threats.