Analysis Summary

A highly sophisticated phishing campaign has been uncovered, distributing the Snake Keylogger malware by exploiting legitimate Java utilities to bypass security systems. Originating from Russian cybercriminals, this . NET-based malware is offered as part of a Malware-as-a-Service (MaaS) model, allowing broader distribution among threat actors. The attackers use spear-phishing emails themed around petroleum product sales, specifically impersonating major oil companies, to target organizations in the energy sector. This social engineering tactic aligns with the heightened geopolitical tension in the Middle East, particularly concerning oil logistics through the Strait of Hormuz.

According to the Researcher, what makes this campaign particularly notable is its abuse of jsadebugd.exe, a legitimate Java debugging tool that had not previously been documented in malware operations. The attackers demonstrate deep system knowledge by leveraging this trusted binary to execute payloads undetected. Victims receive compressed email attachments containing a renamed version of jsadebugd.exe, crafted to appear as petroleum-related documents. Once executed, the malware initiates DLL sideloading by loading malicious code via the jli.dll library, which then injects the Snake Keylogger into InstallUtil.exe, a legitimate Windows tool, a move that boosts stealth and evasion.

The campaign’s most advanced technique involves binary header manipulation. The Snake Keylogger payload is stored within concrt141.dll, with the malicious code strategically placed just before the standard “MZ” header of a PE file. This subtle shift in structure makes it difficult for signature-based antivirus tools to detect the threat, as many rely on conventional PE header analysis. An example from the malware's hex structure shows the malicious segment preceding the MZ signature as a clear indication of deliberate obfuscation aimed at fooling security tools while preserving the file’s appearance as a legitimate DLL.

For persistence, the malware modifies the Windows Registry at SOFTWARE\Microsoft\Windows\CurrentVersion\Run, enabling automatic execution on system boot. It also copies its components to %USERPROFILE%\SystemRootDoc, embedding itself further into the system. Once active, Snake Keylogger extracts credentials from over 40 applications including Chrome, Firefox, Outlook, and FileZilla. It uses legitimate services like reallyfreegeoip.org to gather system information, enhancing its profiling capabilities. The stolen data is exfiltrated via SMTP to attacker-controlled email accounts, completing a full-cycle credential harvesting and exfiltration operation with a high degree of stealth and sophistication.

Impact

• Sensitive Data Theft
• Security Bypass
• Gain Access

Indicators of Compromise

Domain Name

Remediation

• Lock all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Update antivirus and endpoint detection systems with signatures that can detect abuse of legitimate binaries like jsadebugd.exe, InstallUtil.exe, and DLL sideloading patterns.
• Block or restrict execution of unnecessary binaries like InstallUtil.exe and Java debugging tools via application control or Windows Defender Attack Surface Reduction (ASR) rules.
• Implement strict email filtering to block spear-phishing emails with suspicious attachments or spoofed sender domains, especially those mimicking oil and energy companies.
• Educate employees on phishing awareness, especially around opening compressed attachments or executing unknown files.
• Monitor registry paths such as SOFTWARE\Microsoft\Windows\CurrentVersion\Run for unauthorized persistence entries.
• Use behavior-based threat detection to spot unusual process chains (e.g., jsadebugd.exe launching DLLs or invoking InstallUtil.exe).
• Isolate and analyze files that show abnormal PE structures, such as MZ headers not at standard offsets, using sandbox environments.
• Apply the principle of least privilege to user accounts to limit the impact of credential theft.
• Regularly audit and rotate credentials for applications targeted by Snake Keylogger (e.g., browsers, email clients, FTP tools).
• Block outbound SMTP traffic to unknown or suspicious mail servers to prevent data exfiltration.