Patrick Domingues

Discover how the Snake Keylogger malware spreads through malicious PDFs in a comprehensive analysis of its tactics and evasion techniques.

Introduction

In the ever-evolving landscape of cyber threats, a new campaign has emerged, exploiting unsuspecting victims through a combination of a malicious PDF file and a 22-year-old Office bug. The campaign, discovered by the diligent researchers at HP Wolf Security, showcases the ingenuity of attackers in their relentless pursuit of compromising sensitive information. This article aims to provide a comprehensive analysis of this “unusual” campaign and shed light on the tactics employed by cybercriminals to propagate the Snake Keylogger malware.

The Rise of PDF Malware

Traditionally, malicious email campaigns have relied heavily on Microsoft Office file formats, such as Word and Excel, to conceal and distribute malware. However, the discovery of this campaign demonstrates a shift in tactics, as attackers utilize weaponized PDF documents to infiltrate unsuspecting systems. While PDFs have not been the primary choice for malware distribution, this campaign serves as a wake-up call, highlighting the need for enhanced vigilance and security measures when handling PDF files.

The Anatomy of the Campaign

The campaign initiates with a well-crafted email, enticing victims with the promise of remittance payment information. Attached to the email is a PDF file named “REMMITANCE INVOICE.pdf,” deliberately misspelled to avoid suspicion. Upon opening the file, victims are prompted by Adobe Reader to access a seemingly innocuous Word document. Interestingly, the attackers strategically named the Word document “has been verified. However PDF, Jpeg, xlsx, .docx,” making it appear as part of the Adobe Reader prompt.

A Malicious Interplay: PDF and Microsoft Word

While PDF serves as the initial lure, the campaign employs Microsoft Word to deliver the ultimate payload—the notorious Snake Keylogger. This sophisticated malware, developed using .NET and first identified in late 2020, aims to surreptitiously harvest sensitive information from victims’ devices. By stealing saved credentials, capturing keystrokes, taking screenshots, and accessing clipboard data, Snake Keylogger poses a significant threat to individuals and organizations alike.

Unmasking the Evasion Tactics

The HP Wolf Security researchers identified an array of evasion tactics employed by the attackers to bypass detection. Upon opening the Word document, it becomes evident that it is stored as an EmbeddedFile object within the PDF. Clicking on the document triggers the opening of Microsoft Word, wherein Protected View must be disabled for the exploit to proceed. If successful, Word proceeds to download a Rich Text Format (.rtf) file from a remote web server.

Exploiting a 17-Year-Old Office Bug

Unveiling the underlying exploit, researchers discovered that the downloaded .rtf file contained two “not well-formed” OLE objects. These objects house shellcode that exploits CVE-2017-11882, a remote code execution vulnerability residing within Equation Editor. Astonishingly, this vulnerability was patched by Microsoft in 2017, making it over four years old at the time of this campaign. However, the bug itself had existed for a staggering 17 years, dating back to its initial discovery.

The Final Act: Snake Keylogger Unleashed

As the campaign reaches its climax, the shellcode stored within one of the OLE objects decrypts a ciphertext, revealing more shellcode. This second stage of shellcode execution leads to the invocation of an executable named “fresh.exe.” It is within this executable that the Snake Keylogger malware is loaded, laying the foundation for the extraction of sensitive information from unsuspecting victims.

Mitigating the Threat: Strengthening Cyber Defenses

In light of this campaign, it is imperative for individuals and organizations to enhance their cyber defenses. Several measures can be implemented to mitigate the risk of falling victim to similar attacks:

1. Robust Email Filtering: Deploy advanced email filtering solutions capable of detecting and blocking suspicious attachments and malicious links.

2. User Awareness and Education: Conduct regular training sessions to educate users about the dangers of opening attachments or clicking on links from unknown or suspicious sources.

3. Patch Management: Maintain an up-to-date software ecosystem, ensuring that all security patches and updates are promptly applied to mitigate known vulnerabilities.

4. Multi-Layered Defense: Employ a multi-layered security strategy that encompasses firewalls, intrusion detection systems, antivirus software, and advanced threat detection solutions.

Conclusion

The emergence of the Snake Keylogger campaign, leveraging a malicious PDF and an Office bug, underscores the ever-present threat of cybercrime. Attackers continuously evolve their tactics, exploiting vulnerabilities and employing ingenious methods to infiltrate systems and compromise sensitive data. By remaining vigilant, educating users, and implementing robust security measures, individuals and organizations can bolster their defenses against such threats. Safeguarding our digital assets requires a collective effort, one that embraces proactive defense and ongoing adaptation to the evolving threat landscape.

Patrick Domingues

See Full Bio