Analysis Summary

A recent phishing campaign targeting defense and aerospace sectors has been uncovered, leveraging fraudulent emails that impersonate Aerospace Industries to deliver a stealthy variant of the Snake Keylogger malware. The attackers use a deceptive filename to lure recipients into executing the malicious payload, masquerading it as a legitimate contractual document. This campaign appears to be strategically focused on high-value intelligence collection from sensitive organizations within the defense industry.

According to the Researcher, Upon execution, the Snake Keylogger variant immediately initiates multiple layers of persistence and anti-detection techniques to maintain long-term access. It invokes PowerShell commands to add itself to the Windows Defender exclusion list, effectively disabling the built-in antivirus system. This operation is performed through the NtCreateUserProcess API call, enabling the malware to launch PowerShell with elevated privileges. In parallel, it creates a scheduled task named “Updates\oNqxPR” via schtasks.exe, ensuring execution at every system startup through an XML-based task configuration. This allows the malware to persist through reboots without raising suspicion.

The malware sample, identified by SHA256 hash 0cb819d32cb3a2f218c5a17c02bb8c06935e926ebacf1e40a746b01e960c68e4, is a PE32 executable written in .NET. It uses multiple unpacking layers to obscure its true behavior, complicating reverse engineering efforts. During analysis by Malwation researchers, the malware demonstrated extensive abuse of legitimate Windows utilities to remain hidden from traditional security controls. This includes the use of native OS components for both evasion and persistence, indicating a well-crafted and advanced threat.

Functionally, Snake Keylogger focuses on the exfiltration of sensitive user data, including credentials, cookies, and financial information from more than 30 browsers and email clients such as Chrome, Firefox, Outlook, and Thunderbird. Additionally, it harvests autofill data, credit card numbers, download history, and frequently visited sites, sending the stolen data via SMTP to a command-and-control server at mail.htcp.homes. The combination of sophisticated evasion, persistence mechanisms, and targeted victimology suggests a highly coordinated cyber-espionage operation, underlining the growing threat to defense contractors and critical infrastructure entities in the region.

Impact

• Data Exfiltration
• Gain Access
• Security Bypass

Indicators of Compromise

MD5

• 7b08debe8d794823e28821fa8f4a0750
• 62148599ed6d8c875296c07631ffef53

SHA-256

• 2859b8700fc6111c40b806d114c43e2e3b4faa536eeab57d604818562905b911
• 0cb819d32cb3a2f218c5a17c02bb8c06935e926ebacf1e40a746b01e960c68e4

SHA1

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Implement advanced email filtering, sandboxing, and block executable attachments with double extensions like .xlsx.exe.
• Restrict PowerShell usage to administrators and enforce execution policies via Group Policy.
• Regularly audit scheduled tasks and prevent unauthorized task creation through administrative restrictions.
• Use application whitelisting tools like AppLocker or WDAC to block unknown or unsigned applications.
• Deploy Endpoint Detection and Response (EDR) solutions to catch behavior-based anomalies (e.g., suspicious use of PowerShell.exe, schtasks.exe).
• Monitor and alert on changes to Windows Defender exclusion lists using event logs or SIEM.
• Conduct regular phishing awareness and simulation training for employees to recognize spoofed emails and attachments.
• Keep all systems and software up to date with the latest security patches to minimize exploitable vulnerabilities.
• Enforce least privilege access controls to limit the impact of potential malware execution.