Snake Keyloggers Abuse Java Utilities to Evade Security Tools

A sophisticated phishing campaign leveraging the Snake Keylogger malware has emerged, exploiting legitimate Java debugging utilities to bypass security mechanisms and target organizations worldwide.

The Russian-originated .NET malware, distributed through a Malware as a Service (MaaS) model, represents a significant evolution in cybercriminal tactics by abusing trusted system components that typically evade detection.

The campaign employs spear-phishing emails themed around petroleum product sales, capitalizing on heightened geopolitical tensions in the Middle East.

These malicious communications impersonate major oil companies, particularly targeting organizations in the energy sector during a period of global concern over potential disruptions to oil logistics through the Strait of Hormuz.

CN-SEC analysts identified this campaign as particularly noteworthy due to its unprecedented abuse of jsadebugd.exe, a legitimate Java debugging utility that has never before been documented for malicious purposes.

The attackers demonstrate sophisticated understanding of system architecture by leveraging this trusted binary to execute their payload while maintaining stealth.

The malware employs a multi-stage infection process beginning with compressed attachments containing the legitimate jsadebugd.exe binary, renamed to appear as a petroleum-related document.

When executed, the malware utilizes DLL sideloading techniques to load malicious code through the jli.dll library, subsequently injecting the Snake Keylogger payload into the legitimate InstallUtil.exe process.

Advanced Evasion Through Binary Header Manipulation

The malware’s most sophisticated evasion technique involves storing the Snake Keylogger binary within concrt141.dll while strategically positioning malicious code immediately before the standard MZ header.

This placement allows the payload to remain hidden from conventional signature-based detection systems that rely on standard PE file structure analysis.

The binary header manipulation can be observed in the malware’s structure:-

Offset (h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000   00 01 00 00 00 00 72 01 00 4D 5A 90 00 03 00 00

This technique effectively masks the malicious payload while maintaining file legitimacy.

The malware establishes persistence through registry modification at SOFTWAREMicrosoftWindowsCurrentVersionRun, ensuring continued execution across system reboots while copying components to %USERPROFILE%SystemRootDoc.

Upon successful installation, Snake Keylogger harvests credentials from over 40 browsers and applications, including Chrome, Firefox, Microsoft Outlook, and FileZilla, while collecting system information through legitimate services like reallyfreegeoip.org.

The stolen data is exfiltrated via SMTP to attacker-controlled email addresses, completing a comprehensive data theft operation.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now