Executive Summary
FortiGuard Labs has identified a new variant of Snake Keylogger, also known as 404 Keylogger, which has been responsible for over 280 million blocked infection attempts worldwide. This malware is designed to steal sensitive credentials by logging keystrokes, accessing browser-stored passwords, and exfiltrating data through SMTP and Telegram bots; targeting Windows users primarily located in China, Turkey, Indonesia, Taiwan, and Spain. The latest Snake variant now utilizes AutoIt, a scripting language that helps it evade detection by traditional security tools, marking an increase in sophistication and adaptability for the keylogger.
Community Impact
The retail and hospitality sectors are particularly vulnerable to Snake Keylogger, as these industries handle large volumes of customer payment information. Attackers could use this malware to harvest credit card details, loyalty program credentials, and employee login information, leading to financial fraud and data breaches. RH-ISAC Core Member Organizations should ingest the intelligence included in this report, the original Fortinet report, linked above, and review and ingest the provided Indicators of Compromise, included below.
Technical Analysis
The new Snake Keylogger variant uses AutoIt to bypass security measures and execute its payload, making detection more challenging. Once executed, the malware drops itself into the %Local_AppData% directory and creates a startup script (ageless.vbs) to persist across system reboots. It then employs process hollowing, injecting its code into trusted Windows processes (RegSvcs.exe) to operate stealthily.
The malware’s keylogging and credential theft mechanisms include:
- Capturing keystrokes via the SetWindowsHookEx API to log sensitive input.
- Stealing saved passwords from browsers like Chrome, Edge, and Firefox.
- Accessing autofill data, including credit card details.
- Using geolocation services to gather additional victim information.
- Exfiltrating stolen data via SMTP email servers and Telegram bots to evade detection.
Indicators of Compromise
Fortinet has provided the following Indicators of Compromise below:
Description | IOCs |
Command-and-Control (C2) Server | http://51[.]38[.]247[.]67:8081/_send_php?L |
Original file | f8410bcd14256d6d355d7076a78c074f |
ageless.exe | f8410bcd14256d6d355d7076a78c074f |
ageless.vbs | 77f8db41b320c0ba463c1b9b259cfd1b |
