Cybercriminals are constantly evolving their tactics, and the latest variant of Snake Keylogger proves just how persistent they are. Fortinet’s FortiGuard Labs has identified a new strain of the infostealer using its FortiSandbox v5.0 (FSAv5) detection platform, highlighting the growing sophistication of malware threats in the wild.
This latest version of Snake Keylogger, classified as AutoIt/Injector.GTY!tr, has been responsible for more than 280 million blocked infection attempts globally. The majority of these threats have targeted users in China, Turkey, Indonesia, Taiwan, and Spain, demonstrating the widespread impact of this stealthy cyber weapon.
Keylogger 2.0: Smarter, Sneakier, More Dangerous
Originally detected in 2020, Snake Keylogger (also known as 404 Keylogger) has evolved beyond its initial capabilities, incorporating new evasion techniques and leveraging AutoIt, a Windows scripting language often used for automation. This allows the malware to bypass traditional antivirus measures by disguising itself as a legitimate script.
Snake Keylogger operates primarily via phishing campaigns, embedding itself in malicious email attachments and links. Once executed, it discreetly records keystrokes, captures credentials, and steals sensitive data from web browsers like Chrome, Edge, and Firefox. The stolen information is then exfiltrated to its command-and-control (C2) server using email (SMTP) and Telegram bots, a technique that enables attackers to easily retrieve pilfered credentials in real time.
AI Versus Snake: FortiSandbox’s Role in Detection
FortiSandbox v5.0 is equipped with a machine-learning-powered AI engine called PAIX, designed to detect emerging threats in real time. By leveraging behavioral analysis, heuristic scanning, and file attribute analysis, FSAv5 can spot malicious activity before it impacts an environment.
In this case, FSAv5 detected Snake Keylogger through a combination of static and dynamic analysis. The sandbox uncovered obfuscated strings and suspicious API calls related to keylogging and credential harvesting. Additionally, it monitored the malware’s execution, which revealed its ability to infiltrate systems stealthily.
One of the key discoveries was the malware’s persistence mechanism: Snake Keylogger drops an executable (ageless.exe) into the %Local_AppData%\supergroup folder while planting a secondary script (ageless.vbs) in the Windows Startup directory. This ensures the malware relaunches after every reboot, making removal particularly challenging.
Evasion Tactics: Process Hollowing and Obfuscation
To evade detection, Snake Keylogger uses process hollowing, a technique that allows malware to inject itself into a legitimate Windows process -- RegSvcs.exe in this case. This method is particularly effective against traditional antivirus tools, as it disguises the keylogger’s execution within a trusted system process.
Furthermore, FSAv5 identified the keylogger accessing browser credential stores, targeting saved passwords and autofill data, including credit card details. FortiGuard Labs also discovered network traffic logs indicating that the malware was communicating with C2 servers and using external websites to retrieve the victim’s IP and geolocation.
What This Means for Cybersecurity
The detection of this new Snake Keylogger variant underscores the need for organizations to adopt advanced threat detection and response tools. Traditional antivirus solutions alone are not enough to combat today’s rapidly evolving malware landscape.
Fortinet’s AI-driven FSAv5 provides an example of how machine learning can be used to detect even the most sophisticated threats before they cause damage. Its ability to correlate findings with the MITRE ATT&CK framework further strengthens incident response efforts, offering cybersecurity professionals a detailed view of the attacker’s tactics and techniques.
How to Stay Protected
Fortinet has implemented security measures to combat this threat across its ecosystem. The company’s FortiGuard Antivirus service actively detects and blocks the Snake Keylogger variant under AutoIt/Injector.GTY!tr, ensuring customers using FortiGate, FortiMail, FortiClient, and FortiEDR solutions remain protected. Additionally, Fortinet’s Web Filtering Service detects and blocks access to Snake Keylogger’s C2 servers.
Users and organizations are urged to adopt the following security best practices to mitigate the risk:
Enable Advanced Threat Detection: Use behavioral analysis and machine-learning-driven security solutions like FortiSandbox.
Exercise Caution with Email Attachments: Avoid opening unexpected or suspicious files, especially from unknown senders.
Keep Software Updated: Regularly patch operating systems and applications to close security vulnerabilities.
Deploy Multi-Factor Authentication (MFA): Prevent unauthorized access by requiring additional authentication factors.
Conduct Security Awareness Training: Educate employees about phishing threats and social engineering tactics.
The Bottom Line
As cybercriminals continue to refine their attack methods, the fight against malware requires a combination of AI-powered detection, proactive security strategies, and continuous education. With Snake Keylogger proving to be more resilient and widespread than ever, organizations must stay ahead of the curve by deploying the latest in AI-driven cybersecurity defenses.
Fortinet’s discovery is a reminder that the battle against cyber threats is ongoing -- but with the right tools and awareness, businesses and users can better defend themselves against the evolving landscape of digital threats.