A newly evolved variant of the Snake Keylogger malware has been detected, posing a significant threat to users of popular web browsers such as Google Chrome, Microsoft Edge, and Mozilla Firefox.
This malicious software, identified as AutoIt/Injector.GTY!tr, has already been linked to over 280 million blocked infection attempts globally, with hotspots in China, Turkey, Indonesia, Taiwan, and Spain.
The malware’s primary objective is to steal sensitive data, including login credentials and other personal information, by logging keystrokes and monitoring clipboard activity.
The Snake Keylogger variant is typically distributed via phishing emails containing malicious attachments or links.
Once executed, it infiltrates systems by embedding itself in trusted processes through techniques like process hollowing.
This allows the malware to execute its payload undetected within legitimate applications.
Additionally, Snake Keylogger employs advanced exfiltration methods using SMTP protocols and Telegram bots to transmit stolen data to its command-and-control (C2) servers.
Advanced Detection Reveals Sophisticated Tactics
FortiGuard Labs leveraged its FortiSandbox 5.0 (FSAv5) platform to identify and analyze this new variant.
The AI-powered PAIX engine within FSAv5 enabled the detection of obfuscated strings and malicious APIs embedded in the malware’s code.
Through a combination of static and dynamic analysis, researchers uncovered the malware’s ability to bypass traditional antivirus solutions by using AutoIt scripting language for payload delivery.
This technique not only complicates detection but also mimics benign automation tools.
The malware establishes persistence on infected systems by dropping a hidden executable file named “ageless.exe” in the %Local_AppData% directory and creating a script (“ageless.vbs”) in the Windows Startup folder.
This ensures that the malware automatically executes upon system reboot without requiring administrative privileges.
Further analysis revealed that Snake Keylogger employs a low-level keyboard hook (WH_KEYBOARD_LL) to capture keystrokes, enabling it to log sensitive input such as banking credentials and passwords stored in browser autofill systems.
It also accesses folders containing browser-related login credentials for exfiltration.
Implications for Cybersecurity
The emergence of this advanced Snake Keylogger variant underscores the evolving nature of cyber threats targeting widely used platforms.
By leveraging sophisticated techniques like process hollowing and encrypted scripting, attackers can evade traditional security measures while maximizing data theft capabilities.
Organizations are urged to enhance their cybersecurity defenses by adopting advanced detection tools like FortiSandbox 5.0.
The platform’s AI-driven PAIX engine provides real-time analysis of emerging threats, enabling proactive identification and mitigation of keylogger attacks.
Additionally, users are advised to remain vigilant against phishing attempts and ensure their systems are equipped with up-to-date antivirus solutions.
As cybercriminals continue to refine their tactics, robust threat intelligence and advanced detection mechanisms remain critical in safeguarding sensitive information from malicious actors.
