Analysis of Phishing Activities Delivering Snake Keylogger via OneNote Documents

The original report is in Chinese, and this version is an AI-translated edition.

1.Overview

Recently, Antiy CERT has detected a phishing activity that uses OneNote documents to deliver the Snake Keylogger spyware. The attackers send phishing emails to users, luring them to open the OneNote document attached, and execute the malicious file hidden beneath an image in the OneNote document, thereby running the Snake Keylogger spyware on the user’s host.

Since Microsoft announced the default blocking of macros in Office documents, attackers have attempted to use other types of files as new media for spreading malware. Phishing activities that use OneNote documents to spread malicious files have increased since the end of 2022. Currently, multiple malware families are using OneNote documents for their distribution activities, including Snake Keylogger, AsyncRAT, QBot, Emotet, IcedID, Formbook, RedLineStealer, and AgentTesla. Attackers usually insert a blurry or relevant image to the phishing email’s subject in the OneNote document, luring users to double-click a specified part of the image to view it. They can embed various types of malicious files in the document and hide multiple identical malicious files beneath the image to ensure that when users double-click the specified part of the image, they can click on any of the malicious files. If users ignore the risk warning and continue to execute, the malicious file will proceed with the subsequent attack process.

The Snake Keylogger spyware emerged at the end of 2020 and is a malicious software developed using .NET. This spyware can perform keylogging, take screenshots, obtain clipboard content, steal usernames and passwords saved in target applications, and has multiple data transmission methods on the victim’s host. The spyware implements malicious behaviors such as hiding, persisting, collecting, and monitoring in the infected system, thereby transmitting sensitive data as required by the attacker, causing serious consequences such as income loss and reputation damage to users. Attackers can also use the data stolen from users to carry out subsequent attack activities.

It has been verified that the Antiy IEP (Intelligent Endpoint Protection System) can prevent OneNote from running malicious executables and effectively detect and remove this spyware.

2.ATT&CK Mapping graph of the event

For the complete process of the attackers’ delivery of the spyware, Antiy has compiled the corresponding ATT&CK mapping graph for this attack incident as shown in the following figure.

Figure 2-1 Mapping of Technical Features to ATT&CK

The technology points used by the attacker are shown in the table below.

Table 2-1 Technology points used by the attacker

ATT&CK stages / categoriesSpecific behaviorNotes
Resource developmentAccess to infrastructureGet the data back to the server
Environmental preparationStore malicious files in a file hosting site
Initial accessPhishingSpread by phishing mail
ExecutionUsing command and script interpretersExecute VBS script, PowerShell command
Inducing the user to executeInducing a user to execute a malicious file
PersistenceUtilization of planned tasks / jobsCreate a scheduled task for persistence
Defensive evasionAnti-obfuscate / decode files or informationDecoding multi-layer payload information
Remove the beacon from the hostDelete the XML file used to create the scheduled task
Confusion of documents or informationEncrypt multi-layer payload information
Process injectionInject the final payload of the Trojan horse
Credential AccessInsecure credentialsGet unsecure application software, registry of credentials
FindingsDiscover the application windowGets window information for keyloggers
Find files and directoriesApplication software is found in the specified directory
Query the registryQuery the registry to obtain the application software information
Discovery of system informationDiscovery of system information
Discovery system network configurationDiscovery system network configuration
System discovery timeSystem discovery time
CollectionCollect clipboard dataCollect clipboard data
Collect local system dataCollect local system data
Input captureKeylogger
Get a screenshotGet a screenshot
Data seeps outAutomatically seeps out dataAutomatically seeps out stolen data
Use non-c2 protocol to send backReturn data via FTP, SMTP and Telegram
Timed transmissionRegular return of data

3.Recommendations for protection

In order to effectively prevent such attacks and improve the level of security protection, Antiy suggests the enterprise take the following protection measures:

3.1 Identify phishing mail

1.Check mail senders: Watch out for non-organizational senders who send “business mail”;

2.Check the addressee’s address: Be alert to group email, and contact the sender for confirmation;

3.See the delivery time: Watch out for the non-working time sent mail;

4.Read the email title: Watch out for emails with the title of “order,” “bill,” “wage subsidy,” “purchase” and other keywords;

5.See the wording of the text: Alert to “pro,” “dear users,” “dear colleagues” and other more general greetings of the mail;

6.Purpose of reading the text: Be alert to the emails that ask for the account password in the name of “system upgrade,” “system maintenance” and “security setting”;

7.Look at the main content: Alert to the attached web links, especially short links;

8.Content of the attachment: Before viewing, virus scanning and monitoring of the attachment shall be performed using anti-virus software.

3.2 Daily Email security usage protection

1.Install terminal protection software: Install terminal protection software, open the function of scanning and detecting email attachments in the protection software, regularly conduct security detection on the system, and repair system vulnerabilities.

2.Email login password: The email login password shall be set with certain complexity (including three character elements), the password shall not be recorded in an obvious place in the office area, and the login password shall be changed regularly.

3.Email account shall be bound with mobile phone: After the email account is bound with mobile phone, the user can not only retrieve the password, but also receive the SMS prompt of “abnormal login” for instant disposal.

4.Important documents shall be protected:

(1) Empty the inbox, outbox and trash of important mails that are no longer in use in time;

(2) Backup important files to prevent files from being lost after being attacked;

(3) Important emails or attachments shall be encrypted and sent, and no decryption password shall be attached to the text.

5.Sensitive information shall be protected: Do not release sensitive information on the Internet, and the information and data released by users on the Internet will be collected by attackers. By analyzing this information and data, attackers can send phishing emails to users in a targeted way.

3.3 Government, enterprise and institutional protection

1.Install the terminal protection software: Install the anti-virus software, and it is recommended to install Antiy IEP;

2.Strengthen password strength: Avoid using weak passwords, and recommend using 16-digit or longer passwords, including combinations of upper and lower case letters, numbers and symbols, and avoid using the same password for multiple servers;

3.Deployment of Intrusion Detection System (IDS): Deployment of traffic monitoring software or equipment to facilitate the discovery, tracing and tracing of malicious codes. Taking network traffic as the detection and analysis object, Antiy PTD can accurately detect a mass of known malicious codes and network attack activities, and effectively detect suspicious behaviors, assets and various unknown threats on the network;

4.Security service: In case of malware attack, it is suggested to isolate the attacked host in time, and protect the site and wait for the security engineer to check the computer; 7 * 24 service hotline: 400-840-9234.

It has been proved that Antiy IEP can prevent OneNote from running malicious executors, and can effectively detect and kill the secret Trojan.

Figure 3-1 The effective protection against the user system implemented by Antiy IEP

4.Attack process

4.1 Attack flowchart

The attacker drops a phishing email, induces the user to open the attached OneNote document, execute the ee.vbs script file hidden under the picture in the OneNote document, and download the eme.ps1 script from the file hosting website after the execution of the ee.vbs script. The PowerShell script releases and executes an executable program; after the executable program runs, it releases and loads multiple DLL files, and finally injects Snake Keylogger into the created child process to run. The Snake Keylogger has such functions as keyboard recording, screen capture, obtaining clipboard content, stealing user name and password of target application software, and has three data return modes as FTP return, SMTP return and Telegram return. 

Figure 4-1 Attack flowchart

4.2 Using OneNote documents to spread malicious files

The attacker inserts a blurry image into the OneNote document, inducing the user to double-click the specified location to view it.

Figure 4-2: Onenote Document Page

Below the original text “Double click here to view”, there are 3 ee.vbs files hidden. When the user clicks on this area, they will be able to select any of the script files. If the user ignores the risk warning and continues to execute, the script files will proceed with the subsequent attack process. The detailed attack process can be found in the “Sample Analysis” section of Chapter 5.

Figure 4-3 Malicious script hiding under the picture

5.Sample analysis

5.1 Sample labels

Table 5-1 Sample labels

Name of malwareTrojan [PSW] / Win32.SnakeKeylogger
Original file nameYfgcvyuffgtwfyutgfwtvfauyvf.exe
Md5Efa3ef59eba11bae9d4c691e431a42db
Processor architectureIntel 386 or later, and compatibles
File size127.50kb (130,560 bytes)
File formatBinexecute / Microsoft.EXE [: X86]
Time stamp2022-11-11 13: 29: 43
Digital signatureNone
Shell typeNone
Compiled Language.net
Vt First Upload Time2023-04-10 09: 22: 01
Vt test result58 / 70

5.2 Ee.vbs

After the VBS script is executed, download the PowerShell script pre-hosted by the attacker from the file hosting site to the specified path, and execute the script file.

Figure 5-1 VBS script  

5.3 Eme.ps1

After the PowerShell script executes, it performs Base64 decoding on the string, saving the decoded content in the directory “C:\ Users\ Public” and naming it “eme.pif,” which is an executable program written with. net.

Figure 5-2 PowerShell script 

5.4 Eme.pif

After the executable program is run, the C2200 .dll file is obtained by obtaining the resource of the specified name, and the function specified in the DLL file is called.

Figure 5-3 Get the first stage DLL file and call the specified function

Load the C2200 .dll file, sleep for 40 seconds, and then perform designated character substitution and Base64 decoding on the hard-coded string to obtain the Cruiser.dll file; load the Cruiser.dll file and decode to obtain two key strings. According to the string “UfVJ” to obtain the image resources in the eme. pif program, and according to the string “prh” to decode the image resources, to obtain the Outimurs. dll file.

Figure 5-4 Get the Outimurs. dll file

Loads the Outimurs. dll file and calls the specified function in the DLL file.

Figure 5-5 Calling the Outimurs. dll file to specify a function

5.5 Outimurs.dll

The Outimurs. dll file performs three main functions: Self-replication, creating scheduled tasks, and injecting the final payload.

5.5.1  Self-replication

Copies its own program to the new path and renames the program.

Figure 5-6 Copy the self program to the new path

5.5.2 Create a scheduled task

Release the XML file to the% temp% directory from which the scheduled task is created.

Figure 5-7 Create a scheduled task using an XML file

After the scheduled task is created, the XML file is deleted.

Figure 5-8 Delete an XML file

5.5.3 Injection final load

Obtaining the specified resource, and decoding the resource to obtain the final payload. Create a child process and inject the Snake Keylogger stolen Trojan horse obtained by decoding into the child process to run.

Figure 5-9 Decoding to obtain the final payload

5.6 Snake Keylogger’s secret Trojan

The Snake Keylogger Trojan has the functions of stealing secrets such as keyboard recording, screen capture, obtaining clipboard contents and stealing user name and password of target application software, and has three return modes: Ftp return, SMTP return and Telegram return.

5.6.1 Keylogger

Monitor the keyboard input events, obtain the window information currently used by the user, and return the keyboard record and the window information to the C2 server.

Figure 5-10 Keyboard Record

5.6.2 Screen Shot

Save the screenshot to the “My Files\ SnakeKeylogger” folder, named as Screenshot. png, return it to the C2 server, and then delete the screenshot file.

Figure 5-11 Screen capture

5.6.3 Gets the contents of the clipboard

Gets the contents of the system clipboard and returns them to the C2 server.

Figure 5-12 Obtaining the contents of the clipboard

5.6.4 Target theft

The Snake Keylogger Trojan horse steals the user name, password and other information stored in email box clients, browsers, instant messaging platforms, FTP tools and other application software. the specific objectives are shown in the table below.

Table 5-2 Application software theft targets ‑ 

Email clientOutlookFoxmailThunderbirdPostbox
BrowserYandexAmigoXpomKometa
NicchromeChromeCoccocQqbrowser
OrbitumSlimjetIridiumVivaldi
IronChromiumGhostbrowserCentbrowser
XvastChedotSuperbird360browser
360chromeComodoBraveTorch
UcbrowserBliskEpic Privacy BrowserOpera
Liebao7Avast BrowserKinzaBlackhawk
CitrioUranCoon7star
Qip SurfSleipnirChrome CanaryCoolnovo
SalamwebSputnikFalkonElements Browser
Microsoft EdgeIcecatSlimbrowserFirefox
SeamonkeyIce DragonCyberfoxPalemoon
Waterfox   
Instant messaging platformPidginDiscord  
Ftp toolFilezilla   

5.6.5 Return mode

The Snake Keylogger Trojan horse selects whether to encrypt the return message according to the configuration information at the time of construction.

Figure 5-13 Select whether to encrypt the backhaul information according to the configuration

If the transmission information is encrypted during construction, DES algorithm is used to encrypt the information, and Base64 encoding processing is performed on the encrypted data.

Figure 5-14 Encrypted messages

The Snake Keylogger Trojan horse has three backtracking modes: Ftp backtracking, SMTP backtracking and Telegram backtracking, and the specific backtracking mode is selected according to the configuration information during construction.

Figure 5-15 The return mode of the sample selection

5.6.5.1 Return via FTP

If the information is returned through FTP, the system will connect with the FTP server of the attacker, and return the file storing the stolen data to the server by using the STOR command.

Figure 5-16 Falling Back Through FTP

According to the different information stolen, the return file is different, as shown in the following table.

Table 5-3 FTP Return File

Theft of informationReturn file
User name and password< Device Name > – Passwords ID – < Identification ID > .txt
KeyloggerDevice Name – Keystroke Logs ID – < ID > .txt
Clipboard contentsDevice Name > – Clipboard Logs ID – < ID > .txt
Screen Shot< Device Name > -Screenshot Logs ID – < ID > .png

5.6.5.2 Return via SMTP

If that message is sent back through SMTP, a return mail is sent to a malicious email address, and the attachment of the mail is a file save the stolen data.

Figure 5-17 Return by SMTP

According to the different information stolen, the contents and attachments of their emails are different, as shown in the following table.

Table 5-4 SMTP Return Messages

Theft of informationContent of EmailAttachment to Email
User name and passwordPw? User name? SnakePasswords.txt, User.txt
KeyloggerKp user name “SnakeKeystrokes.txt
Clipboard contentsClipboard user name “Snake\ r\ n Relevant information of victim hostClipboard.txt
Screen ShotScreenshot user name “Snake\ r\ n Related information of the victim hostScreenshot.png

5.6.5.3  Return via Telegram

This sample sends back information through Telegram, and submits the file storing the stolen data to the Telegram server created by the attacker in the form of POST.

Figure 5-18 Returned via Telegram

According to the different information stolen, the return file is different, as shown in the following table.

Table 5-5 Telegram Return File

Theft of informationReturn file
User name and passwordSnakepw .txt
KeyloggerSnakekeylogger .txt
Clipboard contentsClipboard.txt
Screen ShotScreenshot.png

6.Summary

Since Microsoft announced that macros in Office documents are blocked by default, attackers have switched to delivering malicious files, using OneNote documents as a new medium for distributing malicious files. The attacker sends a phishing email to the user, induces the user to open the OneNote document in the attachment, and executes the malicious file hidden under the picture in the OneNote document, so as to run malicious software such as secret Trojan and remote control Trojanon the user host.

It is suggested that the user should not easily believe the contents in the unknown mail, confirm the source of the mail, and be alert to the guiding contents in the mail. Antiy CERT will continue to pay attention to the new attack methods of attackers, and conduct in-depth analysis and research on related attack activities.

Appendix I: IoCs

IoCs
554f1a13a1ed03aa6eca2cb81defc242
67463b588ae33879f50fd43185af8be6
B9611fdaa214df556ad6c8fc582a45f6
8481fb36fe2375802264e3255c421629
8d369299a047f228593293887092e43d
0fb6061f7d37424fb9e6d0e76b019c19
D7a88c5383f2c5f5f63eba55aa264c6f16
Efa3ef59eba11bae9d4c691e431a42db
Https [:] / / bitbucket.org /! Api / 2.0 / snippets / mounmeinlilo / zqz9zj / a0908238e134ad5a36922c163d2c986a8584d33a / files / emefamstartup.ps1
Https [:] / api.telegraph.org / bot6287986251: Aagcsj3tazwv7scc7x0dmhgcs3euo4j9 _ Ww / sendMessage? Chat _ id = 6218388203

Appendix II: About Antiy

Antiy is committed to enhancing the network security defense capabilities of its customers and effectively responding to security threats. Through more than 20 years of independent research and development, Antiy has developed technological leadership in areas such as threat detection engines, advanced threat countermeasures, and large-scale threat automation analysis.

Antiy has developed IEP (Intelligent Endpoint Protection System) security product family for PC, server and other system environments, as well as UWP (Unified Workload Protect) security products for cloud hosts, container and other system environments, providing system security capabilities including endpoint antivirus, endpoint protection (EPP), endpoint detection and response (EDR), and Cloud Workload Protection Platform (CWPP) , etc. Antiy has established a closed-loop product system of threat countermeasures based on its threat intelligence and threat detection capabilities, achieving perception, retardation, blocking and presentation of the advanced threats through products such as the Persistent Threat Detection System (PTD), Persistent Threat Analysis System (PTA), Attack Capture System (ACS), and TDS. For web and business security scenarios, Antiy has launched the PTF Next-generation Web Application and API Protection System (WAAP) and SCS Code Security Detection System to help customers shift their security capabilities to the left in the DevOps process. At the same time, it has developed four major kinds of security service: network attack and defense logic deduction, in-depth threat hunting, security threat inspection, and regular security operations. Through the Threat Confrontation Operation Platform (XDR), multiple security products and services are integrated to effectively support the upgrade of comprehensive threat confrontation capabilities.

Antiy provides comprehensive security solutions for clients with high security requirements, including network and information authorities, military forces, ministries, confidential industries, and critical information infrastructure. Antiy has participated in the security work of major national political and social events since 2005 and has won honors such as the Outstanding Contribution Award and Advanced Security Group. Since 2015, Antiy’s products and services have provided security support for major spaceflight missions including manned spaceflight, lunar exploration, and space station docking, as well as significant missions such as the maiden flight of large aircraft, escort of main force ships, and Antarctic scientific research. We have received several thank-you letters from relevant departments.

Antiy is a core enabler of the global fundamental security supply chain. Nearly a hundred of the world’s leading security and IT enterprises have chosen Antiy as their partner of detection capability. At present, Antiy’s threat detection engine provides security detection capabilities for over 1.3 million network devices and over 3 billion smart terminal devices worldwide, which has become a “national-level” engine. As of now, Antiy has filed 1,877 patents in the field of cybersecurity and obtained 936 patents. It has been awarded the title of National Intellectual Property Advantage Enterprise and the 17th (2015) China Patent Excellence Award.

Antiy is an important enterprise node in China emergency response system and has provided early warning and comprehensive emergency response in major security threats and virus outbreaks such as “Code Red”, “Dvldr”, “Heartbleed”, “Bash Shellcode” and “WannaCry”. Antiy conducts continuous monitoring and in-depth analysis against dozens of advanced cyberspce threat actors (APT groups) such as “Equation”, “White Elephant”, “Lotus” and “Greenspot” and their attack actions, assisting customers to form effective protection when the enemy situation is accurately predicted.