Author: Eric Patterson
TLP: WHITE
During the week of 14 January, we observed a malspam campaign distributing the Snake Keylogger. The emails in the campaign contain a malicious 7-ZIP archive that opens an SCR file and downloads the malware to the victim host.1,2
Snake Keylogger (a.k.a. 404 Keylogger)3 is an infostealer that can steal a victim’s sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard.4 Those infected with Snake can potentially face anything from identity theft to fraudulent financial transactions depending on the type of information siphoned by the keylogger.
As in previous 404 Keylogger campaigns we have observed,5 this malspam campaign was financially themed and contained subject lures such as STATEMENT OF ACCOUNT NOVEMBER DECEMBER 2020. The mails also carried a compressed ZIP archive attachment with an R03 file extension. The observed sender was Qtech Admin and used the email address ungkwangmedtech[@]gmail[.]com.
Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.
Endnotes
- https://www.virustotal.com/gui/file/7eb2de2bfd05ee1e83980aa914486789d2e8f3fb3cc6e166f140302fdaf40cd9/details
- https://www.virustotal.com/gui/file/4b08d69d6bdb81f338710851e3631513f0360187e68ef07bf71665ef33783364/community
- https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence–89
- https://www.enigmasoftware.com/snakekeylogger-removal/
- https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence–89
