Snake Keylogger Being Distributed via Spam E-mails

Recently, there has been an exponential increase in the distribution of Snake Keylogger via spam e-mails. Snake Keylogger is an info-leaking malware that is developed with .NET, and as seen from the weekly statistics below, it consecutively made its way into the Top 5 malware as of recent.

Considering the fact that it’s an info-stealing malware that is mostly distributed via spam e-mails, it is similar to that of AgentTesla malware. Like AgentTesla, Snake Keylogger also supports info-leaking feature through SMTP protocol, e-mail.

It is not just AgentTesla that is attached and distributed via spam e-mail. Infostealer and RAT malware strains such as Lokibot, Formbook, AveMaria, and Remcos are also distributed via the same method. The figure below shows the spam e-mails that were actually distributed. As shown in the figure, most of them take the form of typical estimate sheets and purchase e-mails.

.NET malware evades file detection of malware created using a builder, and proceeds with obfuscation to disrupt analysis. The figure below shows obfuscated functions, by which the readers will be able to understand why the malware was named Snake Keylogger.

The distribution of Snake Keylogger was confirmed since the end of last year, it is almost identical to Matiex Keylogger which was distributed starting from mid-2020. Most of the properties such as features, routines, and function names are mostly the same for the two keyloggers, and the only difference between these two is that Matiex Snake uses Matiex instead of Snake string. The following shows obfuscated functions of Matiex Keylogger.

As shown in the figure below, the developer of Matiex Keylogger advertised various features of the malware on a hacking forum website.

Most recently, the developer posted an auction thread on February 1st, 2021, and started a bid to sell the source code of Matiex Keylogger. However, seeing how the discovery of the malware specifically named ‘Snake Keylogger’ took place at the end of the last year, it is unlikely that the Snake Keylogger is newly created and distributed after editing the existing keylogger by someone who purchased Matiex Keylogger. Of course, there is also a possibility that the selling of the source code has already begun, or Snake Keylogger is the new version of Matiex Keylogger

Snake Keylogger and Matiex Keylogger can steal user account information from dozens of programs such as e-mail clients, FTP clients, and web browsers. These keyloggers can also activate screenshot, clipboard, microphone, and keylogging features to regularly receive a user’s personal information. Note that the function’s name contains ‘COVID’ keyword to follow the popularity of COVID-19.

The method of reception is also diverse. This malware currently being distributed mostly uses SMTP (e-mail), to send stolen information to the attacker, but it can also use 3 other options: FTP, Telegram, and Discord.

The Snake Keylogger malware is distributed via spam e-mail, therefore when there’s a suspicious-looking email in the inbox, users must refrain from opening the attachment files within the e-mail. Also, V3 should be updated to the latest version so that malware infection can be prevented.

[File Detection]
– Malware/Win32.RL_Generic.C4174185 (2020.08.01.01)
– Trojan/Win.Generic.C4407755 (2021.04.09.01)

[Behavior Detection]
– Malware/MDP.Behavior.M3108

[IOC]
– bbebe99bf36cb3dc4c3c37a9487468ac
ㄴ SMTP Server: mail.minioninvest[.]com
ㄴ User: support@minioninvest[.]com
ㄴ Password: uche***08
ㄴ Receiver: support@minioninvest[.]com
– f3f7d01818ca5056ccc76bdd38dc540f
ㄴ SMTP Server: smtp.synholding.com
ㄴ User: dkasparek@synholding[.]com
ㄴ Password: iLrr*W***6
ㄴ Receiver: dkasparek@synholding[.]com