With the second method, attackers send spam with archive files attachments containing packed Snake executables.
This file is a packed version of Snake keylogger.įigure 2 – A malicious RTF email attachment exploiting CVE-2017-11882 isolated by HP Wolf Security. If the recipient runs a vulnerable version of Microsoft Office, the exploit downloads an executable from a remote server and executes it. DOC file extensions and attached to emails themed as legitimate business communications. The first type of downloader we’ve seen used to deploy Snake are RTF documents containing the well-known Microsoft Office Equation Editor exploit (CVE-2017-11882). Infection ChainĬampaigns delivering Snake in 2021 used malicious spam to distribute the malware, either in RTF or archive attachments. This article describes Snake’s capabilities, its infection chain and code similarities with four other commodity keyloggers.įigure 1 – Publicly reported Snake keylogger detections over time.
For this reason, the capabilities of samples found in the wild can vary. Using the malware’s builder, a threat actor can select and configure desired features then generate new payloads. Snake’s name was derived from strings found in its log files and string obfuscation code. Since then, we’ve seen campaigns spreading this malware almost daily. NET keylogger and credential stealer first spotted in late November 2020.
0 kommentar(er)
