Summary:
FortiGuard Labs recently detected a new variant of Snake Keylogger (also known as 404 Keylogger) using FortiSandbox v5.0 (FSAv5), this malware has been responsible for over 280 million blocked infection attempts, with the highest concentrations in China, Turkey, Indonesia, Taiwan, and Spain. The widespread activity of this keylogger highlights its global reach and evolving nature, posing a significant threat to organizations and users worldwide.

Snake Keylogger is typically distributed through phishing emails containing malicious attachments or links. Once executed, it steals sensitive credentials from popular browsers like Chrome, Edge, and Firefox by logging keystrokes, monitoring the clipboard, and extracting saved passwords. The stolen data is then exfiltrated using SMTP (email) and Telegram bots, allowing attackers to access login credentials and other private information. To evade detection, this variant leverages AutoIt scripting, making its payload more difficult to analyze. By embedding itself within an AutoIt-compiled binary, the malware effectively bypasses traditional antivirus solutions.


Security Officer Comments:
FortiSandbox’s research revealed that Snake Keylogger accesses browser credential storage folders to extract sensitive data, including autofill information and credit card details. It also retrieves victim geolocation and transmits stolen data using HTTP POST, SMTP, and Telegram bots. The malware employs an API to log keystrokes, capturing banking credentials and other personal information.


Suggested Corrections:
To mitigate the risk posed by keylogger malware, security experts recommend: