The highly adaptable malware, SnakeKeylogger, has re-emerged in a potent campaign that uses a combination of PowerShell scripting and sophisticated social engineering to steal sensitive information.
Infection and Stealth Tactics
SnakeKeylogger operators are launching convincing spear-phishing emails, often masquerading as reputable financial or research firms, using aliases such as "CPA-Payment Files." Recipients are tricked into opening ISO or ZIP attachments containing a seemingly harmless BAT script.
When executed, this script initiates a two-stage infection: it downloads and launches a PowerShell payload, which is the core keylogger module. Gen Threat Labs analysts noted that the malware's strength lies in its seamless blend of legitimate Windows utilities and custom scripting, which allows it to bypass standard execution policies and operate without visible windows. This enables the keylogger to work completely undetected.
Data Theft and Persistence
Once active, the PowerShell script establishes persistence by creating scheduled tasks and registry entries, ensuring the malware automatically relaunches upon system reboot. For data collection, the script is efficient and minimal, invoking Windows API functions to capture:
- Keystrokes
- Clipboard contents
- Active window titles
The stolen information is then encoded, batched, and transmitted to a remote Command-and-Control (C2) server. A key element of the PowerShell payload is the use of the Add-Type cmdlet to compile C# code on the fly, injecting functions like GetAsyncKeyState for low-level keystroke interception. This method helps the keylogger blend into legitimate Windows maintenance processes, making detection more difficult. Continuous monitoring and timely updates to endpoint protection are strongly recommended to counter this evolving threat.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
