A new variant of the Snake Keylogger, also known as 404 Keylogger, has been detected targeting users of popular web browsers such as Google Chrome, Microsoft Edge, and Mozilla Firefox.
FortiGuard Labs identified this threat using FortiSandbox v5.0 (FSAv5), a cutting-edge malware detection platform powered by advanced artificial intelligence (AI) and machine learning.
This malicious software is designed to steal sensitive user information, including credentials and other personal data, by logging keystrokes and monitoring clipboard activity.
High-Impact Campaign with Global Reach
The Snake Keylogger variant, identified as AutoIt/Injector.GTY!tr, has already been linked to over 280 million blocked infection attempts worldwide.
The highest concentration of these detections has been reported in regions such as China, Turkey, Indonesia, Taiwan, and Spain.
Delivered primarily through phishing emails containing malicious attachments or links, the malware exfiltrates stolen data to its command-and-control (C2) server via SMTP or Telegram bots.
This enables attackers to gain unauthorized access to victims’ sensitive information.
Advanced Techniques for Evasion and Persistence
This variant employs sophisticated techniques to evade detection and maintain persistence on infected systems.
It utilizes AutoIt, a scripting language often used for automation in Windows environments, to compile its payload into standalone executables that bypass traditional antivirus solutions.
Upon execution, the malware drops files into specific directories such as %Local_AppData%supergroup and creates scripts in the Windows Startup folder to ensure it runs automatically upon system reboot.
Additionally, Snake Keylogger uses process hollowing to inject malicious code into legitimate processes like RegSvcs.exe.
This technique allows the malware to operate undetected within trusted system processes.
It also targets browser autofill systems to extract stored credentials and credit card details while employing low-level keyboard hooks to capture keystrokes.
FortiSandbox v5.0 played a pivotal role in identifying this threat through its PAIX AI engine.
The platform combines static analysis examining code structures and embedded signatures with dynamic behavioral analysis to detect suspicious activities in real-time.
FSAv5 uncovered obfuscated strings, API calls, and runtime behaviors indicative of credential harvesting and data exfiltration.
Fortinet analysis revealed that Snake Keylogger leverages websites like checkip[.]dyndns[.]org for geolocation reconnaissance and transmits stolen data via HTTP POST requests.
It also deploys encrypted scripts and specialized modules to access browser-related login credentials.
Organizations are advised to strengthen their email security measures to prevent phishing attacks the primary delivery mechanism for Snake Keylogger.
Deploying advanced threat detection tools like FortiSandbox can help identify and mitigate such threats effectively.
Regular updates of antivirus solutions and employee training on cybersecurity best practices are also critical in reducing exposure to evolving malware campaigns.
As this attack campaign underscores the growing sophistication of keyloggers, proactive measures remain essential in safeguarding sensitive information against emerging threats.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response and Threat Hunting – Register Here