SnakeKeylogger Malware Detected by AhnLab EDR

1. Overview

SnakeKeylogger, an Infostealer created with .NET, can leak data using emails, FTP, SMTP, or Telegram. The malware has been consistently distributed and was covered in a previous ASEC Blog post. [1]

This post will reveal the trace of the malicious behaviors of SnakeKeylogger analyzed in the previous post with AhnLab EDR and explain the detection details.

2. EDR Detection

AhnLab EDR records malware behaviors, allowing users to check the infiltration paths and malicious behaviors easily.

2.1 Injection

“BankTran.exe”, which is distributed as an attachment of the initial email, has SnakeKeylogger encrypted internally. When the exe file is executed, it decrypts the malware for injection.

In essence, “BankTran.exe” only functions as a loader and an injector that loads the malware.

The following diagram shows the process of “BankTran.exe” executing RegSvcs.exe (a normal process) and injecting SnakeKeylogger into that process via a fileless technique.

Figure 1. AhnLab EDR detecting SnakeKeylogger injection into RegSvcs.exe

During the injection process, EDR detected ntdll.dll being mapped manually.

Such behavior is mainly employed by malware for the purpose of bypassing security products hooking Native API and is not a normal method for loading DLLs.

AhnLab EDR detects the behaviors of loading DLLs through abnormal methods (see Figure 1).

RegSvcs.exe, which is injected with SnakeKeylogger, is a normal Microsoft file included in the .NET framework. This normal process is injected with the malware via a loader.

To do so, the loader uses the fileless method of decrypting malware in the memory for injection, which does not result in file creation.

AhnLab EDR also detects such malicious behavior as a fileless technique.

 

2.2 Exfiltrating Information

Under the guise of the normal process named RegSvcs.exe, SnakeKeylogger can collect information from the user’s PC.

The types of information collected can be summarized as those related to emails, browsers, etc. 

As shown in the image below, AhnLab EDR can detect the behavior of attempting to access certain types of information. 

Figure 2. AhnLab EDR detecting behaviors of attempting to access various personal information types in the user’s PC

 

2.3 Sending SMTP

SnakeKeylogger sends the information collected from the user’s PC to the threat actor. It supports various methods for sending, including Telegram, FTP, and SMTP.

In this case, it appears that the threat actor chose to receive the information through SMTP, and such behavior is also detected by AhnLab EDR.

Figure 3. AhnLab EDR detecting the behavior of accessing the network to send exfiltrated information via SMTP

 

3. Conclusion

This post shows how AhnLab EDR can detect the process of SnakeKeylogger being loaded and injected, as well as its malicious behavior of exfiltrating information. Based on this method, the administrator can identify the process of malware execution. Even after being exposed to an attack, they can review the data in the affected system needed to investigate the infiltration incident as evidential data on the threat actor. 

 

Behavior Detection

– Behavior/EDR.Event.M3374
– Suspicious/DETECT.T1561.M2706
– Infostealer/EDR.Event.M2460
– Infostealer/DETECT.T1081.M3351
– Connection/EDR.T1048.003.M11903