Snake keylogger, also known as “404 Keylogger” or “KrakenKeylogger” is a .NET-based trojan designed to target Windows endpoints and steal sensitive information. It is typically spread through phishing campaigns and can exfiltrate saved credentials from web browsers, email clients, and other commonly used applications. In addition, it can capture keystrokes, screenshots, and data from the system clipboard, as well as gather basic device information.

Snake keylogger was first identified in November 2020 and was sold on dark web forums as a subscription-based service. Recently, a new variant of the malware was uncovered. This new variant is distributed through phishing emails, often using malicious Microsoft Excel documents, Microsoft Office files, or PDF attachments. 

In this blog post, we demonstrate how to use Wazuh to detect Snake keylogger malware on an infected Windows endpoint.

Snake keylogger behavior

When Snake keylogger infects a Windows endpoint, it exhibits the following:

  • Creates an executable file in the C:\Users\<USERNAME>\AppData\Roaming folder.
  • Uses a PowerShell command to add the newly created file to the Windows Defender
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\<USERNAME>\AppData\Roaming\<FILENAME>.exe"
  • Creates a scheduled task to ensure persistence using schtasks.exe. It creates the tasks with the name \Updates\<FILENAME> and saves the task definition in XML format in the \AppData\Local\Temp folder. 
  • Creates the registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updates\WeENKtk.  
  • Configures the following registry values under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updates\WeENKtk:
    • SD
    • ID
    • Index
  • Deletes itself by running the following command with choice.exe and specifies the previously created file:
choice  /C Y /N /D Y /T 3 & Del

Analyzed IOC

TypeValue
Hash (SHA256)484e5a871ad69d6b214a31a3b7f8cfced71ba7a07e62205a90515f350cc0f723
MD5a1ae2e6d777478e37fb28514cdde98f6

Infrastructure

We use the following infrastructure to demonstrate the detection of Snake keylogger with Wazuh:

  • A pre-built, ready-to-use Wazuh OVA 4.9.2 which includes the Wazuh central components (Wazuh server, Wazuh indexer, and Wazuh dashboard). Follow this guide to download and set up the Wazuh virtual machine.
  • A Windows 10 victim endpoint with Wazuh agent 4.9.2 installed and enrolled to the Wazuh server. Refer to the installation guide for installing the Wazuh agent.

Detection with Wazuh

We use the following Wazuh capabilities to detect Snake keylogger on an infected Windows endpoint:

Detection rules

We use Sysmon to monitor several system events on the Windows endpoint and create custom rules on the Wazuh server to detect the malicious activities of the Snake keylogger malware.

Windows endpoint

Perform the following steps to configure Sysmon on the monitored endpoint and forward logs in the Sysmon event channel to the Wazuh server for analysis.

1. Download Sysmon from the Microsoft Sysinternals page.

2. Extract the compressed Sysmon file to your preferred location. 

3. Download the Sysmon configuration file – sysmonconfig.xml using PowerShell. Replace <SYSMON_EXECUTABLE_PATH> with the path to your Sysmon executable:

> wget -Uri https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/sysmonconfig.xml -OutFile <SYSMON_EXECUTABLE_PATH>\sysmonconfig.xml

4. Switch to the directory with the Sysmon executable. Run the command below to install and start Sysmon using PowerShell with Administrator privileges:

> .\Sysmon64.exe -accepteula -i sysmonconfig.xml

5. Add the following configuration within the <ossec_config> block of the C:\Program Files (x86)\ossec-agent\ossec.conf file to forward Sysmon events to the Wazuh server:

<localfile>
  <location>Microsoft-Windows-Sysmon/Operational</location>
  <log_format>eventchannel</log_format>
</localfile>

6. Restart the Wazuh agent to apply the configuration changes on the same terminal:

> Restart-Service -Name wazuh

Wazuh server

In this section, we create rules to detect Snake keylogger behavior on the monitored endpoint. 

1. Create a rules file /var/ossec/etc/rules/snake_keylogger.xml:

# touch /var/ossec/etc/rules/snake_keylogger.xml

2. Add the rules below to the /var/ossec/etc/rules/snake_keylogger.xml file:

<group name="snake_keylogger,">
  <!-- Windows Defender exclusion list -->
  <rule id="100901" level="12">
	<if_sid>61603</if_sid>
	<field name="win.eventdata.commandLine" type="pcre2">powershell.exe</field>
	<field name="win.eventdata.commandLine" type="pcre2">Add-MpPreference\s+-ExclusionPath</field>
	<field name="win.eventdata.commandLine" type="pcre2">AppData\\\\Roaming\\\\.*exe</field>
	<description>Possible Snake keylogger activity: $(win.eventdata.parentImage) created a file in AppData Roaming folder and added it to the Windows Defender exclusion list.</description>
	<mitre>
  	<id>T1087</id>
  	<id>T1059.003</id>
	</mitre>
  </rule>

  <!-- Scheduled task created -->
  <rule id="100902" level="12">
	<if_sid>61603</if_sid>
	<field name="win.eventdata.image" type="pcre2">schtasks.exe</field>
	<field name="win.eventdata.commandLine" type="pcre2">\/Create\s+\/TN</field>
	<field name="win.eventdata.commandLine" type="pcre2">\/XML</field>
	<field name="win.eventdata.commandLine" type="pcre2">Updates</field>
	<field name="win.eventdata.commandLine" type="pcre2">AppData\\\\Local\\\\Temp\\\\[^\\]+\.tmp</field>
	<description>Possible Snake keylogger activity: Scheduled task created.</description>
	<mitre>
  	<id>T1055.001</id>
	</mitre>
  </rule>

  <!-- Registry key created -->
  <rule id="100903" level="15">
	<if_sid>61614</if_sid>
	<field name="win.eventdata.EventType" type="pcre2">CreateKey$</field>
	<field name="win.eventdata.Image" type="pcre2">svchost.exe</field>
	<field name="win.eventdata.TargetObject" type="pcre2">WeENKtk</field>
	<description>Possible Snake keylogger activity: Suspicious registry key created.</description>
	<mitre>
  	<id>T1204.002</id>
  	<id>T1547.001</id>
	</mitre>
  </rule>

  <!-- Registry subkeys created -->
  <rule id="100904" level="15">
	<if_sid>61615</if_sid>
	<field name="win.eventdata.eventType" type="pcre2">SetValue$</field>
	<field name="win.eventdata.targetObject" type="pcre2">HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\Updates\\\\[^\\]+\\\\(SD|Id|Index)</field>
	<description>Possible Snake keylogger activity: Suspicious registry subkey creation associated with Snake keylogger.</description>
	<mitre>
  	<id>T1543</id>
	</mitre>
  </rule>

  <!-- File deletion -->
  <rule id="100905" level="15">
	<if_sid>61603</if_sid>
	<field name="win.eventdata.image" type="pcre2">(?i)choice\.exe</field>
	<field name="win.eventdata.commandLine" type="pcre2">choice\s+\/C\s+Y\s+\/N\s+\/D\s+Y\s+\/T\s+3</field>
	<description>Possible Snake keylogger activity: Snake keylogger deleted.</description>
	<mitre>
  	<id>T1055.001</id>
	</mitre>
  </rule>
</group>

Where:

  • Rule ID 100901 is triggered when the Snake keylogger adds a file to the Windows Defender exclusion list.
  • Rule ID 100902 is triggered when the Snake keylogger creates a scheduled task.
  • Rule ID 100903 is triggered when the Snake keylogger creates a registry key folder in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updates\<STRING>.
  • Rule ID 100904 is triggered when the Snake keylogger creates registry keys in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updates\<STRING>\.
  • Rule ID 100905 detects when the Snake keylogger deletes itself.

3. Restart the Wazuh manager for the changes to take effect:

# systemctl restart wazuh-manager

Detection results

The alerts below are generated on the Wazuh dashboard when the Snake keylogger is executed on a Windows endpoint. Perform the following steps to view the alerts on the Wazuh dashboard.

1. Navigate to Server management > Endpoints Summary and select the Windows agent.

2. Click on Threat Hunting and select the Events tab.

3. Click + Add filter. Then filter for rule.id in the Field field. Select is one of in the Operator field. 

4. Add the filters 100901, 100902, 100903, 100904, and 100905 in the Values field.

5. Click Save.

Snake keylogger detection results

Security configuration assessment

The Wazuh SCA module performs checks for system hardening, detects vulnerable software, and validates configuration policies on a monitored endpoint. We configure the Wazuh SCA module to check for the presence of Snake keylogger artifacts on the Windows endpoint.

Windows endpoint

1. Launch PowerShell with administrative privilege and create a folder to store custom SCA policy files:

> New-Item -Path "C:\Program Files (x86)\" -Name "sca_policies" -ItemType Directory

Note: Custom SCA policy files created inside the default Wazuh ruleset folder are not kept across upgrades. Hence, the C:\Program Files (x86)\sca_policies folder is created outside the Wazuh agent installation folder.

2. Create a new policy file in the sca_policies folder:

> New-Item -Path 'C:\Program Files (x86)\sca_policies\snake_keylogger_check.yml' -ItemType File

3. Add the following content to the C:\Program Files (x86)\sca_policies\snake_keylogger_check.yml file:

# Security Configuration Assessment
# Audit for Snake keyloger malware
# Copyright (C) 2024, Wazuh Inc.
#
# This program is free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation
policy:
  id: "Snake_keylogger"
  file: "snake_keylogger_check.yml"
  name: "Snake keylogger Windows OS check"
  description: "Detecting Snake keylogger"

requirements:
  title: "Checking for Snake keylogger artifacts on Windows based systems"
  description: "Requirements for running the audit policy under a Windows platform"
  condition: all
  rules:
    - 'r:HKEY_LOCAL_MACHINE\SAM\SAM'

checks:
  - id: 71000
    title: "Checking for possible Snake keylogger malware artifacts in Roaming folder"
    description: "Check for Snake keylogger artifacts in Roaming folder"
    remediation: "Delete the WeENKtk.exe file from the Roaming folder"
    condition: all
    rules:
      - 'not f:C:\Users\<USERNAME>\AppData\Roaming\WeENKtk.exe'    

  - id: 71001
    title: "Check if Snake keylogger artifact (WeENKtk.exe) is present in Windows Defender exclusion list"
    description: "Check for Snake keylogger artifact is in Windows Defender exclusion list"
    remediation: "Delete the entry from the Windows Defender exclcusion list"
    condition: all
    rules:
      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths -> C:\Users\<USERNAME>\AppData\Roaming\WeENKtk.exe'

  - id: 71002
    title: "Check if scheduled task (WeENKtk) exists in the Updates registry path"
    description: "Check if the specified task is created in the Task Scheduler under the Updates registry path"
    remediation: "Delete the WeENKtk registry folder"
    condition: all
    rules:
      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updates\WeENKtk'

Note: Replace <USERNAME> with the username of the logged-in user.

4. Edit the Wazuh agent C:\Program Files (x86)\ossec-agent\ossec.conf file and append the following configuration:

<ossec_config>
  <sca>
    <policies>
      <policy>C:\Program Files (x86)\sca_policies\snake_keylogger_check.yml</policy>
    </policies>
  </sca>
</ossec_config>

5. Restart the Wazuh agent for the changes to take effect:

> Restart-Service -Name WazuhSvc

Visualizing the scan results

Navigate to the Configuration Assessment page on the Wazuh dashboard. Select the monitored Windows endpoint, then select Snake keylogger Windows OS check to view the scan results.

A Failed result indicates that the Snake keylogger artifacts were detected on the endpoint. Conversely, a Passed result indicates that the Snake keylogger artifacts were not detected and that the endpoint meets the SCA policy criteria.

The screenshot below shows the SCA alerts generated on the Wazuh dashboard when the Wazuh SCA detects artifacts associated with the Snake keylogger. 

Snake Keylogger SCA alerts

Conclusion

This blog post shows how to detect Snake keylogger malware on a Windows endpoint with Wazuh. We illustrated how to use Sysmon integration with custom detection rules and the Wazuh SCA module to detect the Snake keylogger and its malicious activities. 

Wazuh is a free and open source security platform with several capabilities to monitor and secure your IT infrastructure against malicious activities. You can also join our Slack community of professionals and users if you have any questions on this blog post or Wazuh in general.

References

Use cases