Evolving Snake Keylogger Variant

Feb. 20, 2025, 8:58 a.m.

Description

A new variant of Snake Keylogger, identified as AutoIt/Injector.GTY!tr, has been detected by FortiSandbox v5.0. This malware has attempted over 280 million infections, primarily targeting China, Turkey, Indonesia, Taiwan, and Spain. Snake Keylogger steals sensitive information from popular web browsers by logging keystrokes, capturing credentials, and monitoring the clipboard. It exfiltrates data to its command-and-control server using SMTP and Telegram bots. FortiSandbox's advanced AI engine, PAIX, detected the malware through static and dynamic analysis, revealing its use of AutoIt for obfuscation, process hollowing techniques, and persistence mechanisms. The keylogger also employs specialized modules to steal credit card details and leverages the SetWindowsHookEx API for keystroke capture.

External References

https://www.fortinet.com/blog/threat-research/fortisandbox-detects-evolving-snake-keylogger-variant
https://otx.alienvault.com/pulse/67b6ec84ef28beb77cd2fded
Tags
credential theft
autoit
keylogging
snake keylogger
process hollowing
2025-02-20
fortisandbox
ai detection
404 keylogger
paix

Date

  • Created: Feb. 20, 2025, 8:49 a.m.
  • Published: Feb. 20, 2025, 8:49 a.m.
  • Modified: Feb. 20, 2025, 8:58 a.m.

Indicators

  • 7e9b9833268dae6e33c83b582ec7fb353f0dc6514f869e3228f0effa161da00f
  • 51.38.247.67
  • http://51.38.247.67:8081/_send_php?L
Download all indicators here!

Attack Patterns

  • Snake Keylogger
  • 404 Keylogger

Additional Informations

  • Taiwan
  • China
  • Spain
  • Indonesia