A sophisticated phishing campaign targeting Turkish defense and aerospace enterprises has emerged, delivering a highly evasive variant of the Snake Keylogger malware through fraudulent emails impersonating TUSA\u015e (Turkish Aerospace Industries).<\/p>\n
The malicious campaign distributes files disguised as contractual documents, specifically using the filename \u201cTEKL\u0130F \u0130STE\u011e\u0130 \u2013 TUSA\u015e T\u00dcRK HAVACILIK UZAY SANAY\u0130\u0130_xlsx.exe\u201d to deceive recipients into executing the payload.<\/p>\n
The Snake Keylogger variant demonstrates advanced persistence capabilities and sophisticated evasion techniques that allow it to operate undetected within compromised systems<\/a>.<\/p>\n Once executed, the malware immediately establishes multiple layers of persistence while simultaneously implementing anti-detection mechanisms to ensure long-term access to victim systems.<\/p>\n The campaign\u2019s targeted approach toward defense industry contractors indicates a strategic focus on high-value intelligence gathering operations.<\/p>\n Malwation researchers identified<\/a> this particular strain during their analysis of recent phishing campaigns, noting the malware\u2019s sophisticated use of legitimate Windows utilities to maintain persistence and evade security controls.<\/p>\n The sample, with SHA256 hash 0cb819d32cb3a2f218c5a17c02bb8c06935e926ebacf1e40a746b01e960c68e4, presents as a PE32 executable written in .NET, utilizing multiple unpacking layers to conceal its true functionality.<\/p>\n The keylogger\u2019s primary targets include credentials, cookies, and financial information extracted from over 30 different browsers and email clients, including Chrome, Firefox, Outlook, and Thunderbird.<\/p>\n Additionally, the malware harvests autofill data, credit card information, download histories, and top sites from compromised systems before exfiltrating the stolen data via SMTP to mail.htcp.homes servers.<\/p>\n The malware employs a dual-pronged approach to establish persistence<\/a> while evading detection systems.<\/p>\n Upon execution, it immediately invokes PowerShell to add itself to Windows Defender\u2019s exclusion list using the command This operation is executed through the NtCreateUserProcess system call, launching powershell<\/a>.exe with elevated privileges to modify security configurations.<\/p>\n Simultaneously, the malware<\/a> creates a scheduled task named \u201cUpdatesoNqxPR\u201d using schtasks.exe to ensure automatic execution at system startup.<\/p>\n The scheduled task creation process involves generating an XML configuration file that defines the execution parameters, allowing the malware to persist across system reboots without user interaction.<\/p>\n This technique leverages legitimate Windows task scheduling<\/a> functionality, making detection significantly more challenging for traditional security solutions.<\/p>\n Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams ->\u00a0Try ANY.RUN Now<\/a><\/strong><\/p>\n The post Snake Keylogger Evades Windows Defender and Scheduled Tasks to Harvest Login Credentials<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgE13nUjwkRd80G9claLfiCOEOY6RCKD8xT6ckNnm76izwS6jX6Z-kQz2xUfmMZfd1BKn8DKZyWqAImAfBABOGo6RivkWOI7nLZAGtop5jJKvQp4uJlR9oxLc_K1qxehXk6zBibWPYAxwx8jvKFJ-nivqFt8JVf9fUl7hx63PEaQ8pSNqXQCstNPU5Ie2c\/s16000\/Threat.Zone%2520%28Source%2520-%2520Malwation%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEitM0fIoHxE1s3TzUW2UOd4QqAHh-6EidcfyNiEW3kIHQG9QXrV22Bg8-I_v-iGbYiT1MgDJ5qZ4o_oNgsEjRACKg_F2TjKWVyU4jCnKi_zDXSAzZ2obTO7Q7W9V4OPsWSRHNvMw30NqDPDnaIn7k-0Qj5zjVWKYVS2io1hs8AtTTSCt7ioC6ZRHnBfWp0\/s16000\/Snake%2520Keylogger%2520Functionalities%2520%28Source%2520-%2520Malwation%29.webp?ssl=1\")
Advanced Persistence and Evasion Mechanisms<\/strong><\/h2>\n
Add-MpPreference -Excl<\/code>, effectively neutralizing the built-in antimalware protection.<\/p>\n