Analytics Story: Snake Keylogger

Date: 2024-02-12 ID: 0374f962-c66a-4a67-9a30-24b0708ef802 Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

SnakeKeylogger is a stealthy malware designed to secretly record keystrokes on infected devices. It operates covertly in the background, capturing sensitive information such as passwords and credit card details. This keylogging threat poses a significant risk to user privacy and security.

Why it matters

SnakeKeylogger, a notorious malware, first emerged in the early 2010s, gaining infamy for its clandestine ability to capture keystrokes on compromised systems. As a stealthy threat, it infiltrates computers silently, recording every keystroke entered by users, including sensitive information like passwords and financial details. Over time, it has evolved to evade detection mechanisms, posing a persistent threat to cybersecurity. Its widespread use in various cybercrime activities underscores its significance as a tool for espionage and data theft. Despite efforts to combat it, SnakeKeylogger continues to lurk in the shadows, perpetuating its malicious activities with devastating consequences.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Suspicious Driver Loaded Path	Windows Service	TTP
Detect Regasm Spawning a Process	Regsvcs/Regasm	TTP
Download Files Using Telegram	Ingress Tool Transfer	TTP
Executables Or Script Creation In Suspicious Path	Masquerading	Anomaly
High Process Termination Frequency	Data Encrypted for Impact	Anomaly
Non Chrome Process Accessing Chrome Default Dir	Credentials from Web Browsers	Anomaly
Non Firefox Process Access Firefox Profile Dir	Credentials from Web Browsers	Anomaly
Processes launching netsh	Disable or Modify System Firewall	Anomaly
Registry Keys Used For Persistence	Registry Run Keys / Startup Folder	TTP
Suspicious Process DNS Query Known Abuse Web Services	Visual Basic	TTP
Suspicious Process Executed From Container File	Malicious File, Masquerade File Type	TTP
Windows Credential Access From Browser Password Store	Query Registry	Anomaly
Windows Credentials from Password Stores Chrome LocalState Access	Query Registry	Anomaly
Windows Credentials from Password Stores Chrome Login Data Access	Query Registry	Anomaly
Windows File Transfer Protocol In Non-Common Process Path	Mail Protocols	Anomaly
Windows Gather Victim Network Info Through Ip Check Web Services	IP Addresses	Hunting
Windows Non Discord App Access Discord LevelDB	Query Registry	Anomaly
Windows Phishing PDF File Executes URL Link	Spearphishing Attachment	Anomaly
Windows Suspicious Driver Loaded Path	Windows Service	TTP
Windows System Network Connections Discovery Netsh	System Network Connections Discovery	Anomaly
Windows Time Based Evasion via Choice Exec	Time Based Evasion	Anomaly
Windows Unsecured Outlook Credentials Access In Registry	Unsecured Credentials	Anomaly
Windows User Execution Malicious URL Shortcut File	Malicious File	TTP

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
CrowdStrike ProcessRollup2	N/A	`crowdstrike:events:sensor`	`crowdstrike`
Sysmon EventID 1	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 11	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 13	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 15	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 22	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 3	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 5	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 6	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 4663	Windows	`xmlwineventlog`	`XmlWinEventLog:Security`
Windows Event Log Security 4688	Windows	`xmlwineventlog`	`XmlWinEventLog:Security`

References

Source: GitHub | Version: 1