Snake Keylogger Evades Windows Defender and Scheduled Tasks to Harvest Login Credentials

A sophisticated phishing campaign targeting Turkish defense and aerospace enterprises has emerged, delivering a highly evasive variant of the Snake Keylogger malware through fraudulent emails impersonating TUSAŞ (Turkish Aerospace Industries).The malicious campaign distributes files disguised as contractual documents, specifically using the filename ‘TEKLİF İSTEĞİ — TUSAŞ TÜRK HAVACILIK UZAY SANAYİİ_xlsx.exe’ to deceive recipients into executing the payload.The Snake Keylogger variant demonstrates advanced persistence capabilities and sophisticated evasion techniques that allow it to operate undetected within [compromised systems](https://cybersecuritynews.com/hackers-compromise-20k-fortigate-systems/).Once executed, the malware immediately establishes multiple layers of persistence while simultaneously implementing anti-detection mechanisms to ensure long-term access to victim systems.The campaign’s targeted approach toward defense industry contractors indicates a strategic focus on high-value intelligence gathering operations.Malwation researchers [identified](https://www.malwation.com/blog/technical-analysis-of-phishing-campaigns-targeting-the-defense-industry-delivering-snake-keylogger) this particular strain during their analysis of recent phishing campaigns, noting the malware’s sophisticated use of legitimate Windows utilities to maintain persistence and evade security controls. ![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgE13nUjwkRd80G9claLfiCOEOY6RCKD8xT6ckNnm76izwS6jX6Z-kQz2xUfmMZfd1BKn8DKZyWqAImAfBABOGo6RivkWOI7nLZAGtop5jJKvQp4uJlR9oxLc_K1qxehXk6zBibWPYAxwx8jvKFJ-nivqFt8JVf9fUl7hx63PEaQ8pSNqXQCstNPU5Ie2c/s16000/Threat.Zone%20(Source%20-%20Malwation).webp) Threat.Zone (Source — Malwation)The sample, with SHA256 hash 0cb819d32cb3a2f218c5a17c02bb8c06935e926ebacf1e40a746b01e960c68e4, presents as a PE32 executable written in .NET, utilizing multiple unpacking layers to conceal its true functionality.The keylogger’s primary targets include credentials, cookies, and financial information extracted from over 30 different browsers and email clients, including Chrome, Firefox, Outlook, and Thunderbird. ![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitM0fIoHxE1s3TzUW2UOd4QqAHh-6EidcfyNiEW3kIHQG9QXrV22Bg8-I_v-iGbYiT1MgDJ5qZ4o_oNgsEjRACKg_F2TjKWVyU4jCnKi_zDXSAzZ2obTO7Q7W9V4OPsWSRHNvMw30NqDPDnaIn7k-0Qj5zjVWKYVS2io1hs8AtTTSCt7ioC6ZRHnBfWp0/s16000/Snake%20Keylogger%20Functionalities%20(Source%20-%20Malwation).webp) Snake Keylogger Functionalities (Source — Malwation)Additionally, the malware harvests autofill data, credit card information, download histories, and top sites from compromised systems before exfiltrating the stolen data via SMTP to mail.htcp.homes servers.**Advanced Persistence and Evasion Mechanisms**———————————————–The malware employs a dual-pronged approach to establish [persistence](https://cybersecuritynews.com/detecting-and-responding-to-new-nation-state-persistence-techniques/) while evading detection systems.Upon execution, it immediately invokes PowerShell to add itself to Windows Defender’s exclusion list using the command `Add-MpPreference -Excl`, effectively neutralizing the built-in antimalware protection.This operation is executed through the NtCreateUserProcess system call, launching [powershell](https://cybersecuritynews.com/hackers-actively-exploiting-powershell/).exe with elevated privileges to modify security configurations.Simultaneously, the [malware](https://cybersecuritynews.com/chatgpt-powered-malware-analysis/) creates a scheduled task named ‘Updates–oNqxPR’ using schtasks.exe to ensure automatic execution at system startup.The scheduled task creation process involves generating an XML configuration file that defines the execution parameters, allowing the malware to persist across system reboots without user interaction.This technique leverages legitimate [Windows task scheduling](https://cybersecuritynews.com/windows-task-scheduler-vulnerability/) functionality, making detection significantly more challenging for traditional security solutions.**Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams –> [Try ANY.RUN Now](https://any.run/demo?utm_source=csn&utm_medium=article&utm_campaign=top3_ciso_challenges&utm_content=demo_1&utm_term=160725)**The post [Snake Keylogger Evades Windows Defender and Scheduled Tasks to Harvest Login Credentials](https://cybersecuritynews.com/snake-keylogger-evades-windows-defender/) appeared first on [Cyber Security News](https://cybersecuritynews.com).

Related Tags:
NAICS: 927 – Space Research And Technology

NAICS: 336 – Transportation Equipment Manufacturing

NAICS: 541 – Professional

Scientific

Technical Services

NAICS: 92 – Public Administration

NAICS: 33 – Manufacturing – Metal

Electronics And Other

NAICS: 928 – National Security And International Affairs

schtasks

schtasks.exe

Blog: Cybersecurity News

Associated Indicators:
mail.htcp.homes

Threat Intel Solutions

Snake Keylogger Evades Windows Defender and Scheduled Tasks to Harvest Login Credentials

Search

Popular Posts

Dangerous runC flaws could allow hackers to escape Docker containers

Lost iPhone? Don’t fall for phishing texts saying it was found

NAKIVO Introduces v11.1 with Upgraded Disaster Recovery and MSP Features

Categories

Pages

Archives

Tags

Follow Us