Snake Campaign Used Executable File Packed with Dinosaur Game
Malicious actors packed a dinosaur game into an executable file as part of their efforts to distribute the Snake keylogger.
Breaking Down the Attack Email
In the middle of March, the 秋葵视频色 | AppRiver team detected one of the campaign鈥檚 attack emails.听
The message arrived with the subject line 鈥淩E: PAYMENT INSTRUCTIONS,鈥 and it appeared to have originated from administrative personnel working within an unnamed organization鈥檚 鈥淎ccounts Department.鈥
Using those features as camouflage, those responsible for this campaign informed the recipient that they had twice attempted to wire payment to their account for an unspecified good or service but had encountered issues along the way. They went on to instruct the recipient to open an attached set of instructions to ensure that they could receive payment this time around.
听
Screenshot of the attack email. (Source: 秋葵视频色 | AppRiver)
It鈥檚 clear from the screenshot above that the attack email was a fake. The grammar mistakes and awkward phrasings were the first giveaway that something was off. As an example, whoever crafted the email started their message with the formal salutation 鈥淒ear Sir鈥 but then abbreviated 鈥淧lease鈥 and for some reason capitalized 鈥淔ind Attached鈥 in the first sentence.听
There was also this beauty of a sentence in the third paragraph:
鈥淧lease confirm from the attached instruction if there are missing figures in account details and make corrections were necessary so we can repeat payment again.鈥
Second, the attackers didn鈥檛 send along the 鈥減ayment instructions鈥 in a familiar document type that the recipient might have expected. A Word document or Excel spreadsheet would have made sense, for instance. But who sends along payment instructions in an executable file?
It鈥檚 therefore no surprise that this file contained Snake. According to Malwarebytes, Snake is a piece of Russian-made malware that鈥檚 been infecting Windows systems since at least 2008. Fox-IT discovered a macOS variant of the threat, otherwise known as the 鈥404 Keylogger,鈥 nearly a decade later. Just a few years after that, Lastline spotted attackers using COVID-19 as a lure to spread Snake and other well-known infostealers.
The Surprise of This Payment Instruction Malware Campaign
Troy Gill, manager of security research, analyzed the executable file attached to the campaign鈥檚 attack email. He found a surprise in the process.
鈥淭he malicious actors packed a dinosaur game into this executable file,鈥 he told me in an email. 鈥淭here are also references in here to 鈥楾RexUI.鈥 This could potentially be Google Chrome鈥檚 offline dinosaur game. This is a relatively common tactic to pack legitimate programs like games into malicious executables to try and evade detection.鈥
听
Screenshot of the executable file. (Source: 秋葵视频色 | AppRiver)
Gill also said that he didn鈥檛 believe the attacks he was observing as part of this campaign were associated with state-sponsored activity. He said that the variant was most likely one that had been repurposed by a digital crime group and sold on an underground web marketplace.
How to Defend Against an Evasive Snake Campaign
The attack email discussed above highlights the need for organizations to strengthen their security posture against email attacks carrying well-known keyloggers. One of the ways they can do that is by investing in a security solution that鈥檚 capable of scanning incoming emails for malware signatures, campaign patterns, IP addresses and other indicators of known threat behavior. This tool should come with the capability to perform this analysis in real time so that legitimate business correspondence can reach its intended destination in the organization.