Snake Keyloggers Exploit Java Utilities to Evade Detection by Security Tools

The S2 Group Intelligence team has uncovered a Russian-origin malware known as Snake Keylogger, a stealer coded in .NET, leveraging legitimate Java utilities to bypass security tools.

This operation, distributed via a Malware as a Service (MaaS) model, targets diverse victims, including companies, governments, and individuals, with a particular focus on the oil industry during heightened geopolitical tensions in the Middle East.

Spear-phishing emails, disguised as offers for petroleum products, are being used to deliver malicious payloads, capitalizing on concerns over conflicts between Iran and Israel and potential disruptions like the closure of the Strait of Hormuz, which could impact global oil prices and logistics.

Innovative Use of DLL Sideloading

The campaign employs a cunning technique by embedding malicious code within compressed attachments in spear-phishing emails that impersonate a major Kazakhstan-based oil company, LLP KSK PETROLEUM LTD OIL AND GAS.

According to the Report, these attachments include a renamed legitimate Java debugging tool, jsadebugd.exe, now observed for the first time in malicious contexts.

By exploiting the DLL sideloading vulnerability in jsadebugd.exe, attackers load a malicious DLL named jli.dll, which subsequently injects the Snake Keylogger into the legitimate InstallUtil.exe process.

To evade detection, the malware binary, housed in a file named concrt141.dll, prepends data before the MZ header, a tactic designed to confuse security scanners.

For persistence, the malicious payload is copied to a user profile directory and a registry key is created to ensure the malware executes on system startup.

This innovative abuse of jsadebugd.exe marks a significant evolution in the attackers’ methods, with 29 additional samples attributed to the same group deploying variants of Snake Keylogger, suggesting a coordinated and persistent threat operation.

Extensive Data Theft

Snake Keylogger is a formidable data thief, extracting sensitive information such as IP addresses and geolocation data via legitimate websites like reallyfreegeoip.org, alongside credentials from an extensive list of browsers including Google Chrome, Mozilla Firefox, and Microsoft Edge, as well as applications like Microsoft Outlook and FileZilla.

It also harvests Windows product keys, transmitting stolen data via SMTP using specific email addresses for exfiltration.

The geopolitical backdrop of Middle Eastern conflicts appears to be a deliberate theme in the campaign’s social engineering strategy, likely targeting oil industry organizations amid fears of supply chain disruptions.

Kazakhstan’s prominence as a major oil and gas producer in Central Asia adds credibility to the phishing lure, increasing the likelihood of successful infections.

This blend of technical sophistication and exploitation of current events underscores the adaptability of the threat actors behind Snake Keylogger, as they refine their tactics to maximize impact and evade traditional security measures, posing a significant risk to critical industries worldwide.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates