Snake Keylogger Evades Windows Defender and Scheduled Tasks to Harvest Login Credentials

A sophisticated phishing campaign targeting Turkish defense and aerospace enterprises has emerged, delivering a highly evasive variant of the Snake Keylogger malware through fraudulent emails impersonating TUSAŞ (Turkish Aerospace Industries).

The malicious campaign distributes files disguised as contractual documents, specifically using the filename “TEKLİF İSTEĞİ – TUSAŞ TÜRK HAVACILIK UZAY SANAYİİ_xlsx.exe” to deceive recipients into executing the payload.

The Snake Keylogger variant demonstrates advanced persistence capabilities and sophisticated evasion techniques that allow it to operate undetected within compromised systems.

Once executed, the malware immediately establishes multiple layers of persistence while simultaneously implementing anti-detection mechanisms to ensure long-term access to victim systems.

The campaign’s targeted approach toward defense industry contractors indicates a strategic focus on high-value intelligence gathering operations.

Malwation researchers identified this particular strain during their analysis of recent phishing campaigns, noting the malware’s sophisticated use of legitimate Windows utilities to maintain persistence and evade security controls.

The sample, with SHA256 hash 0cb819d32cb3a2f218c5a17c02bb8c06935e926ebacf1e40a746b01e960c68e4, presents as a PE32 executable written in .NET, utilizing multiple unpacking layers to conceal its true functionality.

The keylogger’s primary targets include credentials, cookies, and financial information extracted from over 30 different browsers and email clients, including Chrome, Firefox, Outlook, and Thunderbird.

Additionally, the malware harvests autofill data, credit card information, download histories, and top sites from compromised systems before exfiltrating the stolen data via SMTP to mail.htcp.homes servers.

Advanced Persistence and Evasion Mechanisms

The malware employs a dual-pronged approach to establish persistence while evading detection systems.

Upon execution, it immediately invokes PowerShell to add itself to Windows Defender’s exclusion list using the command Add-MpPreference -Excl, effectively neutralizing the built-in antimalware protection.

This operation is executed through the NtCreateUserProcess system call, launching powershell.exe with elevated privileges to modify security configurations.

Simultaneously, the malware creates a scheduled task named “UpdatesoNqxPR” using schtasks.exe to ensure automatic execution at system startup.

The scheduled task creation process involves generating an XML configuration file that defines the execution parameters, allowing the malware to persist across system reboots without user interaction.

This technique leverages legitimate Windows task scheduling functionality, making detection significantly more challenging for traditional security solutions.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now