Snake Keylogger

Description

SnakeKeylogger is a stealthy malware designed to secretly record keystrokes on infected devices. It operates covertly in the background, capturing sensitive information such as passwords and credit card details. This keylogging threat poses a significant risk to user privacy and security.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel: Endpoint
Last Updated: 2024-02-12
Author: Teoderick Contreras, Splunk
ID: 0374f962-c66a-4a67-9a30-24b0708ef802

Narrative

SnakeKeylogger, a notorious malware, first emerged in the early 2010s, gaining infamy for its clandestine ability to capture keystrokes on compromised systems. As a stealthy threat, it infiltrates computers silently, recording every keystroke entered by users, including sensitive information like passwords and financial details. Over time, it has evolved to evade detection mechanisms, posing a persistent threat to cybersecurity. Its widespread use in various cybercrime activities underscores its significance as a tool for espionage and data theft. Despite efforts to combat it, SnakeKeylogger continues to lurk in the shadows, perpetuating its malicious activities with devastating consequences.

Detections

Name	Technique	Type
Detect Regasm Spawning a Process	System Binary Proxy Execution, Regsvcs/Regasm	TTP
Download Files Using Telegram	Ingress Tool Transfer	TTP
Executables Or Script Creation In Suspicious Path	Masquerading	Anomaly
High Process Termination Frequency	Data Encrypted for Impact	Anomaly
Non Chrome Process Accessing Chrome Default Dir	Credentials from Password Stores, Credentials from Web Browsers	Anomaly
Non Firefox Process Access Firefox Profile Dir	Credentials from Password Stores, Credentials from Web Browsers	Anomaly
Processes launching netsh	Disable or Modify System Firewall, Impair Defenses	Anomaly
Registry Keys Used For Persistence	Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution	TTP
Suspicious Driver Loaded Path	Windows Service, Create or Modify System Process	TTP
Suspicious Process DNS Query Known Abuse Web Services	Visual Basic, Command and Scripting Interpreter	TTP
Suspicious Process Executed From Container File	Malicious File, Masquerade File Type	TTP
Windows Credential Access From Browser Password Store	Query Registry	Anomaly
Windows Credentials from Password Stores Chrome LocalState Access	Query Registry	Anomaly
Windows Credentials from Password Stores Chrome Login Data Access	Query Registry	Anomaly
Windows File Transfer Protocol In Non-Common Process Path	Mail Protocols, Application Layer Protocol	Anomaly
Windows Gather Victim Network Info Through Ip Check Web Services	IP Addresses, Gather Victim Network Information	Hunting
Windows Non Discord App Access Discord LevelDB	Query Registry	Anomaly
Windows Phishing PDF File Executes URL Link	Spearphishing Attachment, Phishing	Anomaly
Windows System Network Connections Discovery Netsh	System Network Connections Discovery	Anomaly
Windows Time Based Evasion via Choice Exec	Time Based Evasion, Virtualization/Sandbox Evasion	Anomaly
Windows Unsecured Outlook Credentials Access In Registry	Unsecured Credentials	Anomaly
Windows User Execution Malicious URL Shortcut File	Malicious File, User Execution	TTP

Reference

source | version: 1

Twitter Facebook LinkedIn