A new variant of Snake Keylogger has emerged, primarily targeting Windows users in Asia and Europe. This strain uses the BASIC-like scripting language AutoIt to deploy itself, making it difficult to detect. The malware logs keystrokes, captures screenshots, and collects clipboard data to steal sensitive information, including usernames and passwords.
Once activated, the keylogger funnels the stolen data to its command-and-control server using various methods such as SMTP email, Telegram bots, and HTTP POST requests. Fortinet’s malware hunters have discovered that the new variant’s executable file is an AutoIt-compiled binary designed to unpack and run the keylogger when opened.
The use of AutoIt complicates static analysis by embedding the payload within the compiled script. This makes it challenging for traditional antivirus solutions to detect the malware. The new variant also maintains persistence on the infected computer by dropping a second file into the Startup folder, which runs the keylogger automatically during system reboot.
The malware injects its payload into a legitimate .NET process and uses process hollowing techniques to evade detection. It captures keystrokes using the SetWindowsHookEx API with a low-level keyboard hook, allowing it to collect banking credentials and other sensitive information. The stolen data is then exfiltrated through various methods, including pinging a custom domain to fetch the victim’s public IP address.
Users are advised to be cautious when opening email attachments or clicking on links from unknown sources, as this variant of Snake Keylogger can spread quickly.
Source: https://www.theregister.com/2025/02/18/new_snake_keylogger_infects_windows