Snake Keylogger Bypasses Windows Defender and Uses Scheduled Tasks to Steal Credentials

Threat actors have been using a sophisticated phishing operation to impersonate Turkish Aerospace Industries (TUSAŞ) in order to attack Turkish businesses, especially those in the defense and aerospace sectors.

The campaign distributes malicious emails masquerading as contractual documents, such as the file “TEKLİF İSTEĞİ – TUSAŞ TÜRK HAVACILIK UZAY SANAYİİ_xlsx.exe” with SHA256 hash 0cb819d32cb3a2f218c5a17c02bb8c06935e926ebacf1e40a746b01e960c68e4.

This PE32 executable, identified as a .NET assembly for MS Windows, delivers a variant of the Snake Keylogger, an information-stealing malware designed to harvest sensitive data including credentials, cookies, and financial information from browsers and email clients.

Emerging Phishing Threat

Upon execution, the malware employs advanced persistence techniques, such as PowerShell commands to add itself to Windows Defender’s exclusion list evading detection and scheduled tasks for automatic startup, ensuring long-term access to compromised systems.

The incident has been reported to Turkey’s National Computer Emergency Response Team (USOM), with ongoing efforts to notify affected victims and mitigate risks through collaborative intelligence sharing.

Analysis reveals the malware’s layered structure, beginning with a benign Windows Forms application named “temperatureConverterForm” that performs harmless operations like temperature conversions to mask its intent.

At runtime, it loads additional payloads into memory using Assembly.Load and Activator.CreateInstance, exhibiting matryoshka-style nesting.

Unpacking with tools like Chiron Unpacker exposes the core malicious binary, dubbed “Remington,” which includes empty anti-analysis stubs for VM, Sandboxie, Windows Defender, and Task Manager evasion, suggesting potential for future enhancements.

Technical Breakdown

The keylogger targets data from email clients such as Outlook, FoxMail, and Thunderbird by traversing registry keys, classifying and decrypting passwords via functions like decryptOutlookPassword.

It extends its reach to steal autofill data, credit card details, downloads, top sites, and cookies from over 30 browsers, including Chrome, Firefox, Brave, Vivaldi, and Microsoft Edge.

Anti-bot features check against known sandbox IP addresses, while exfiltration occurs via configurable channels like SMTP, FTP, or Telegram.

Configuration extraction shows DES-encrypted SMTP credentials, decryptable using Python scripts that leverage MD5-derived keys for ECB-mode decryption, revealing details such as server “mail.htcp.homes,” port 587, and email endpoints like “[email protected].”

A custom YARA rule detects the Cassandra Protector obfuscation, flagging .NET samples with high-entropy sections, specific libraries like System.Drawing.Bitmap, and reflective patterns.

This deep dive underscores the malware’s reliance on system calls like NtCreateUserProcess for process injection, PowerShell for exclusion (e.g., Add-MpPreference -ExclusionPath), and schtasks.exe for persistence via XML-defined tasks in temp directories.

Defenders can leverage provided intelligence, including decrypted configs and YARA rules, to bolster detection.

The campaign highlights the evolving tactics of credential theft in targeted sectors, emphasizing the need for enhanced email filtering, behavioral analytics, and runtime monitoring to counter such threats.

Indicators of Compromise (IOCs)

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now