Snake Keylogger Evades Windows Defender and Exploits Scheduled Tasks to Harvest Credentials

A newly identified phishing campaign is taking aim at Turkish enterprises, with a sharp focus on those in the defense and aerospace industries.

Threat actors have been observed distributing weaponized emails masquerading as official correspondence from Turkish Aerospace Industries (TUSAŞ), a flagship defense contractor.

The emails deliver cleverly disguised malicious executables, most notably in the form of “TEKLİF İSTEĞİ – TUSAŞ TÜRK HAVACILIK UZAY SANAYİİ_xlsx.exe,” directly mimicking contractual file exchanges.

Behind this façade lies a variant of the notorious Snake Keylogger, an information-stealing malware designed to compromise business-critical data while evading traditional security controls.

Deceptive Delivery

Upon execution, the malicious file is revealed to be a PE32 .NET assembly engineered for Windows platforms.

Notably, the implant employs matryoshka-like layered loading, dynamically unpacking and running secondary payloads directly in memory to frustrate static analysis.

The initial artifact presents as a benign temperature conversion utility, but this is simply a cloak for the loader.

Runtime analysis with dnSpy uncovered that the main executable dynamically loads an obfuscated resource using .NET’s Assembly.Load and Activator.CreateInstance mechanisms, with the true malicious code hidden from plain sight.

Leveraging advanced anti-detection mechanisms, the sample attempts to ensure its persistence and stealth.

Analysis reveals it spawns PowerShell commands that explicitly add the malicious executable to Windows Defender’s exclusion list, shielding it from Microsoft’s default endpoint protection.

Furthermore, it creates a scheduled task via schtasks.exe, registering itself for automatic execution at system startup guaranteeing the attacker’s foothold survives reboots.

Such persistence tactics, combined with attempts to evade detection and analysis tools, underscore the sophistication of the operation.

In-Depth Data Theft

Once established, the malware rapidly pivots to credential harvesting. It systematically targets a broad spectrum of browser-based storage locations, extracting autofill data, passwords, cookies, download histories, and stored credit card details from popular web browsers such as Chrome, Edge, Firefox, and many regionally favored Chromium forks.

Additionally, the malware hunts for credentials from mail clients including Outlook, FoxMail, and Thunderbird, even probing Windows Registry keys for sensitive configuration data, which it then decrypts using custom routines.

Interestingly, many anti-analysis routines meant to detect virtual machines, sandboxes, and popular debugging tools are present in the code, but remain stubs presumably left blank to reduce the risk of detection or due to sample adaptation for targeted attacks.

Exfiltration of harvested data is performed through multiple channels, with SMTP-based communication observed as the primary vector in this sample.

Configurations and credentials for SMTP exfiltration are embedded in the binary, protected with DES encryption; researchers were able to extract and decrypt these settings, revealing attacker-controlled infrastructure masked behind the guise of legitimate cloud email services.

The ongoing attack campaign has prompted formal incident reporting to Turkey’s National Computer Emergency Response Team (USOM).

Sector-wide notifications and technical advisories are being distributed to highlight the threat and support containment.

Technical defenders are encouraged to use the provided YARA rules targeting improbable resource section entropy and .NET artifact patterns to proactively detect suspicious executables also utilizing the Cassandra Protector packer.

Indicators of Compromise (IOCs)

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates