Snake keylogger, also known as “404 Keylogger” or “KrakenKeylogger” is a .NET-based trojan designed to target Windows endpoints and steal sensitive information. It is typically spread through phishing campaigns and can exfiltrate saved credentials from web browsers, email clients, and other commonly used applications. In addition, it can capture keystrokes, screenshots, and data from the system clipboard, as well as gather basic device information.
Snake keylogger was first identified in November 2020 and was sold on dark web forums as a subscription-based service. Recently, a new variant of the malware was uncovered. This new variant is distributed through phishing emails, often using malicious Microsoft Excel documents, Microsoft Office files, or PDF attachments.
In this blog post, we demonstrate how to use Wazuh to detect Snake keylogger malware on an infected Windows endpoint.
Snake keylogger behavior
When Snake keylogger infects a Windows endpoint, it exhibits the following:
- Creates an executable file in the
C:\Users\<USERNAME>\AppData\Roaming
folder. - Uses a PowerShell command to add the newly created file to the Windows Defender
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\<USERNAME>\AppData\Roaming\<FILENAME>.exe"
- Creates a scheduled task to ensure persistence using
schtasks.exe
. It creates the tasks with the name\Updates\<FILENAME>
and saves the task definition in XML format in the\AppData\Local\Temp
folder. - Creates the registry key
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updates\WeENKtk
. - Configures the following registry values under
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updates\WeENKtk
:SD
ID
Index
- Deletes itself by running the following command with
choice.exe
and specifies the previously created file:
choice /C Y /N /D Y /T 3 & Del
Analyzed IOC
Type | Value |
Hash (SHA256) | 484e5a871ad69d6b214a31a3b7f8cfced71ba7a07e62205a90515f350cc0f723 |
MD5 | a1ae2e6d777478e37fb28514cdde98f6 |
Infrastructure
We use the following infrastructure to demonstrate the detection of Snake keylogger with Wazuh:
- A pre-built, ready-to-use Wazuh OVA 4.9.2 which includes the Wazuh central components (Wazuh server, Wazuh indexer, and Wazuh dashboard). Follow this guide to download and set up the Wazuh virtual machine.
- A Windows 10 victim endpoint with Wazuh agent 4.9.2 installed and enrolled to the Wazuh server. Refer to the installation guide for installing the Wazuh agent.
Detection with Wazuh
We use the following Wazuh capabilities to detect Snake keylogger on an infected Windows endpoint:
- Detection rules to detect Snake keylogger activities.
- The Wazuh Security Configuration Assessment (SCA) module to check for the presence of Snake keylogger artifacts.
Detection rules
We use Sysmon to monitor several system events on the Windows endpoint and create custom rules on the Wazuh server to detect the malicious activities of the Snake keylogger malware.
Windows endpoint
Perform the following steps to configure Sysmon on the monitored endpoint and forward logs in the Sysmon event channel to the Wazuh server for analysis.
1. Download Sysmon from the Microsoft Sysinternals page.
2. Extract the compressed Sysmon file to your preferred location.
3. Download the Sysmon configuration file – sysmonconfig.xml using PowerShell. Replace <SYSMON_EXECUTABLE_PATH>
with the path to your Sysmon executable:
> wget -Uri https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/sysmonconfig.xml -OutFile <SYSMON_EXECUTABLE_PATH>\sysmonconfig.xml
4. Switch to the directory with the Sysmon executable. Run the command below to install and start Sysmon using PowerShell with Administrator privileges:
> .\Sysmon64.exe -accepteula -i sysmonconfig.xml
5. Add the following configuration within the <ossec_config>
block of the C:\Program Files (x86)\ossec-agent\ossec.conf
file to forward Sysmon events to the Wazuh server:
<localfile> <location>Microsoft-Windows-Sysmon/Operational</location> <log_format>eventchannel</log_format> </localfile>
6. Restart the Wazuh agent to apply the configuration changes on the same terminal:
> Restart-Service -Name wazuh
Wazuh server
In this section, we create rules to detect Snake keylogger behavior on the monitored endpoint.
1. Create a rules file /var/ossec/etc/rules/snake_keylogger.xml
:
# touch /var/ossec/etc/rules/snake_keylogger.xml
2. Add the rules below to the /var/ossec/etc/rules/snake_keylogger.xml
file:
<group name="snake_keylogger,"> <!-- Windows Defender exclusion list --> <rule id="100901" level="12"> <if_sid>61603</if_sid> <field name="win.eventdata.commandLine" type="pcre2">powershell.exe</field> <field name="win.eventdata.commandLine" type="pcre2">Add-MpPreference\s+-ExclusionPath</field> <field name="win.eventdata.commandLine" type="pcre2">AppData\\\\Roaming\\\\.*exe</field> <description>Possible Snake keylogger activity: $(win.eventdata.parentImage) created a file in AppData Roaming folder and added it to the Windows Defender exclusion list.</description> <mitre> <id>T1087</id> <id>T1059.003</id> </mitre> </rule> <!-- Scheduled task created --> <rule id="100902" level="12"> <if_sid>61603</if_sid> <field name="win.eventdata.image" type="pcre2">schtasks.exe</field> <field name="win.eventdata.commandLine" type="pcre2">\/Create\s+\/TN</field> <field name="win.eventdata.commandLine" type="pcre2">\/XML</field> <field name="win.eventdata.commandLine" type="pcre2">Updates</field> <field name="win.eventdata.commandLine" type="pcre2">AppData\\\\Local\\\\Temp\\\\[^\\]+\.tmp</field> <description>Possible Snake keylogger activity: Scheduled task created.</description> <mitre> <id>T1055.001</id> </mitre> </rule> <!-- Registry key created --> <rule id="100903" level="15"> <if_sid>61614</if_sid> <field name="win.eventdata.EventType" type="pcre2">CreateKey$</field> <field name="win.eventdata.Image" type="pcre2">svchost.exe</field> <field name="win.eventdata.TargetObject" type="pcre2">WeENKtk</field> <description>Possible Snake keylogger activity: Suspicious registry key created.</description> <mitre> <id>T1204.002</id> <id>T1547.001</id> </mitre> </rule> <!-- Registry subkeys created --> <rule id="100904" level="15"> <if_sid>61615</if_sid> <field name="win.eventdata.eventType" type="pcre2">SetValue$</field> <field name="win.eventdata.targetObject" type="pcre2">HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\Updates\\\\[^\\]+\\\\(SD|Id|Index)</field> <description>Possible Snake keylogger activity: Suspicious registry subkey creation associated with Snake keylogger.</description> <mitre> <id>T1543</id> </mitre> </rule> <!-- File deletion --> <rule id="100905" level="15"> <if_sid>61603</if_sid> <field name="win.eventdata.image" type="pcre2">(?i)choice\.exe</field> <field name="win.eventdata.commandLine" type="pcre2">choice\s+\/C\s+Y\s+\/N\s+\/D\s+Y\s+\/T\s+3</field> <description>Possible Snake keylogger activity: Snake keylogger deleted.</description> <mitre> <id>T1055.001</id> </mitre> </rule> </group>
Where:
- Rule ID
100901
is triggered when the Snake keylogger adds a file to the Windows Defender exclusion list. - Rule ID
100902
is triggered when the Snake keylogger creates a scheduled task. - Rule ID
100903
is triggered when the Snake keylogger creates a registry key folder inHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updates\<STRING>
. - Rule ID
100904
is triggered when the Snake keylogger creates registry keys inHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updates\<STRING>\
. - Rule ID
100905
detects when the Snake keylogger deletes itself.
3. Restart the Wazuh manager for the changes to take effect:
# systemctl restart wazuh-manager
Detection results
The alerts below are generated on the Wazuh dashboard when the Snake keylogger is executed on a Windows endpoint. Perform the following steps to view the alerts on the Wazuh dashboard.
1. Navigate to Server management > Endpoints Summary and select the Windows agent.
2. Click on Threat Hunting and select the Events tab.
3. Click + Add filter. Then filter for rule.id
in the Field field. Select is one of
in the Operator field.
4. Add the filters 100901
, 100902
, 100903
, 100904
, and 100905
in the Values field.
5. Click Save.
Security configuration assessment
The Wazuh SCA module performs checks for system hardening, detects vulnerable software, and validates configuration policies on a monitored endpoint. We configure the Wazuh SCA module to check for the presence of Snake keylogger artifacts on the Windows endpoint.
Windows endpoint
1. Launch PowerShell with administrative privilege and create a folder to store custom SCA policy files:
> New-Item -Path "C:\Program Files (x86)\" -Name "sca_policies" -ItemType Directory
Note: Custom SCA policy files created inside the default Wazuh ruleset folder are not kept across upgrades. Hence, the C:\Program Files (x86)\sca_policies
folder is created outside the Wazuh agent installation folder.
2. Create a new policy file in the sca_policies
folder:
> New-Item -Path 'C:\Program Files (x86)\sca_policies\snake_keylogger_check.yml' -ItemType File
3. Add the following content to the C:\Program Files (x86)\sca_policies\snake_keylogger_check.yml
file:
# Security Configuration Assessment # Audit for Snake keyloger malware # Copyright (C) 2024, Wazuh Inc. # # This program is free software; you can redistribute it # and/or modify it under the terms of the GNU General Public # License (version 2) as published by the FSF - Free Software # Foundation policy: id: "Snake_keylogger" file: "snake_keylogger_check.yml" name: "Snake keylogger Windows OS check" description: "Detecting Snake keylogger" requirements: title: "Checking for Snake keylogger artifacts on Windows based systems" description: "Requirements for running the audit policy under a Windows platform" condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SAM\SAM' checks: - id: 71000 title: "Checking for possible Snake keylogger malware artifacts in Roaming folder" description: "Check for Snake keylogger artifacts in Roaming folder" remediation: "Delete the WeENKtk.exe file from the Roaming folder" condition: all rules: - 'not f:C:\Users\<USERNAME>\AppData\Roaming\WeENKtk.exe' - id: 71001 title: "Check if Snake keylogger artifact (WeENKtk.exe) is present in Windows Defender exclusion list" description: "Check for Snake keylogger artifact is in Windows Defender exclusion list" remediation: "Delete the entry from the Windows Defender exclcusion list" condition: all rules: - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths -> C:\Users\<USERNAME>\AppData\Roaming\WeENKtk.exe' - id: 71002 title: "Check if scheduled task (WeENKtk) exists in the Updates registry path" description: "Check if the specified task is created in the Task Scheduler under the Updates registry path" remediation: "Delete the WeENKtk registry folder" condition: all rules: - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updates\WeENKtk'
Note: Replace <USERNAME>
with the username of the logged-in user.
4. Edit the Wazuh agent C:\Program Files (x86)\ossec-agent\ossec.conf
file and append the following configuration:
<ossec_config> <sca> <policies> <policy>C:\Program Files (x86)\sca_policies\snake_keylogger_check.yml</policy> </policies> </sca> </ossec_config>
5. Restart the Wazuh agent for the changes to take effect:
> Restart-Service -Name WazuhSvc
Visualizing the scan results
Navigate to the Configuration Assessment page on the Wazuh dashboard. Select the monitored Windows endpoint, then select Snake keylogger Windows OS check to view the scan results.
A Failed result indicates that the Snake keylogger artifacts were detected on the endpoint. Conversely, a Passed result indicates that the Snake keylogger artifacts were not detected and that the endpoint meets the SCA policy criteria.
The screenshot below shows the SCA alerts generated on the Wazuh dashboard when the Wazuh SCA detects artifacts associated with the Snake keylogger.
Conclusion
This blog post shows how to detect Snake keylogger malware on a Windows endpoint with Wazuh. We illustrated how to use Sysmon integration with custom detection rules and the Wazuh SCA module to detect the Snake keylogger and its malicious activities.
Wazuh is a free and open source security platform with several capabilities to monitor and secure your IT infrastructure against malicious activities. You can also join our Slack community of professionals and users if you have any questions on this blog post or Wazuh in general.
References