Hackers Are Compromising Systems Using Snake Keylogger Malware

Posted on May 24, 2022 at 10:11 AM

Hackers Are Compromising Systems Using Snake Keylogger Malware

Cybersecurity researchers from HP Wolf Security have discovered a hacking campaign that utilizes PDF files to distribute the Snake Keylogger onto vulnerable endpoints.

The researchers stated that the hackers begin their attack by sending an email with the subject line:” Remittance Invoice.” This is to deceive the victims to believe they will be getting paid for something. The hackers usually attach a PDF file to the email, reassuring the victims that the email is coming from a legitimate source. Sometimes, the emails come attached with Word or Excel files, which are also embedded with malware.

It is now very common for threat actors to use malicious PDFs when launching attackers through email phishing. These threat actors prefer office formats such as Word or Excel, which most PC users are very familiar with. The researchers noted that these malicious PDFs were used to compromise PCs with credential stealers and the Snake Keylogger, which was first discovered in the wild in November 2020.

The reason why the attackers chose the sneaky file name for the Word document becomes clearer when opening the prompt displayed by Adobe Reader. The prompt says ‘The file has been verified. It later warns the users that the files may contain programs or viruses that may harm their system.

When an employee reads the message, they would think that the said file has been verified and has been certified free of viruses or malware.

But once the user opens the file, a Microsoft Word document opens. The security researchers noted that Word can download a Rich Text Format from a web server if Protected View is disabled. Once the format is downloaded, it can run in the context of the open document.

However, by default, Microsoft Office opens all supporting documents in Application Guard or Protected View.

The Attackers Are Still Exploiting Very Old Vulnerability

The security researchers discovered an incorrect URL where external object links and embeds the object was loaded. The embedded object, according to HP, comes with a shellcode that exploits the CVE-2017-11882 vulnerability. This is an old remote code execution bug appearing in the Microsoft Office Equipment, which is still being exploited by threat actors.

The shellcode downloads the fresh.exe executable that fronts as the Snake Keylogger. The malicious file has been distributed through archive files or RFT documents attached to the emails.

Although researchers have shown more interest in Office formats, they are increasingly targeting their subjects through weaponized PDF formats, as shown in the latest campaign format. They now embedded files, load remotely-hosted exploits, and encrypt shellcodes to target systems. These are some of the methods the threat actors are using to exploit devices and systems while staying under the radar.

The exploited bug in the latest malware campaign CVE-2017-11882 was discovered over five years ago. But it is still being used, which indicates that the exploit has been effective for threat actors.

The flaw was patched in November 2017, but hackers are still exploiting it because some device owners have not yet updated their systems. The HP researchers noted that it was one of the most common flaws to be exploited in 2018 since consumers and organizations were relatively too slow to apply updates.

The Attackers Target Old Microsoft Equation Editor

The RTF document is called “f_document_shp.doc” and has malformed OLE objects that can hide from the analysis. After HP researchers went through some targeted reconstruction, they discovered that it tries to exploit an old Microsoft Equation Editor flaw to run arbitrary code.

Malware analysts will quickly notice a problem when they inspect embedded files in PDFs using scripts and parsers. However, this may elude normal users who usually receive these phishing emails. They wouldn’t know start to ensure that the file is not infested. This is the reason why the threat actors have recorded some level of success in the campaign because most users are not technically adept to notice such errors.

As a result, many of the users that receive the email may choose to open the DOCX in Microsoft Word, downloading the RTF in the process if macros are enabled.

Also, the researchers confirmed that one of the vulnerabilities the attackers leveraged in the campaign has existed for some 17 before it was patched in 2017. This means that the bug currently being exploited is 22 years old. The fact that attackers still find it profitable to exploit shows that some users are not serious about updating the system, which has given threat actors more leverage.

Hackers Are Compromising Systems Using Snake Keylogger Malware
Article Name
Hackers Are Compromising Systems Using Snake Keylogger Malware
Cybersecurity researchers from HP Wolf Security have discovered a hacking campaign that utilizes PDF files to distribute the Snake Keylogger onto vulnerable endpoints.
Publisher Name
Publisher Logo

Share this:

Related Stories:


Get the latest stories straight
into your inbox!


Discover more from KoDDoS Blog

Subscribe now to keep reading and get access to the full archive.

Continue reading