A newly detected information-stealing campaign is preying on the financial vigilance of companies, utilizing well-crafted phishing emails to install the dangerous Snake Keylogger malware. Security analysts have detailed how the attackers are successfully infiltrating corporate networks by leveraging a simple but effective social engineering tactic: disguising the malware as essential remittance documents from established firms.
The Phishing Lure: A False ‘Remittance’
The initial vector of the attack is a targeted email, designed to look like a standard payment notification or remittance advice from recognized corporate services like CPA Global or Clarivate. The emails, titled similarly to “remittance advice for the payment dated…,” urge recipients to download an attached file. Crucially, these attachments are delivered as a compressed ZIP archive or, more stealthily, an ISO disk image. The use of the ISO container is a tactic specifically designed to bypass older security systems that may only scan traditional ZIP files, providing an initial layer of defense evasion. Once a user attempts to open the deceptive payment document, the infection chain is launched.
Sneaking Past Defenses with PowerShell
The file hidden within the ISO or ZIP is not a payment document, but a malicious BAT script. Upon execution, this script silently calls upon the native Windows management tool, PowerShell. The script uses a specific command to download the core Snake Keylogger payload, often named loader.exe, and runs it in a way that minimizes visible indicators on the victim’s screen.
The malware’s lightweight executable then uses sophisticated Windows features, such as injecting its code into legitimate running processes like explorer.exe or svchost.exe. This process injection technique helps the keylogger blend in with normal system activity, further complicating detection by standard endpoint security software.
FCRF Launches CCLP Program to Train India’s Next Generation of Cyber Law Practitioners
Capturing Credentials and the “SysUpdate” Gambit
Once active, the Snake Keylogger begins its primary task: gathering sensitive data. It hooks into browser processes and keylogging systems to capture vital information, including login credentials, session tokens, and keystrokes. The stolen data is compressed and then sent back to the attacker’s server—known as the command-and-control (C2) endpoint—over standard HTTP Post requests, making the exfiltration traffic appear non-suspicious. To ensure a long-term presence, the malware also establishes persistence. It creates a scheduled task named “SysUpdate” that automatically relaunches the keylogger every hour. This mechanism guarantees that the malicious software will restart even if the user or a security system attempts to terminate the rogue process.
Protecting Against the Serpent’s Bite
Security teams are urging organizations to take immediate steps to mitigate this threat. The first line of defense is user awareness training, specifically scrutinizing all payment-related emails, regardless of the sender’s perceived legitimacy. Technically, organizations should enforce robust attachment-sandboxing policies, particularly for ISO files, and enhance logging to detect unusual process injection activities. Monitoring the specific Indicators of Compromise (IoCs)—such as the unique file hashes, the malicious domains, and the scheduled task name “SysUpdate”—is critical. Blocking these indicators at the network perimeter and endpoint will help disrupt the attack chain and prevent data loss.
