An intricate phishing initiative directed at Turkish defense and aerospace companies has surfaced, delivering a highly stealthy variant of the Snake Keylogger malware through deceptive emails masquerading as TUSAŞ (Turkish Aerospace Industries).
The nefarious campaign disseminates files masquerading as contractual documentation, particularly employing the filename “TEKLİF İSTEĞİ – TUSAŞ TÜRK HAVACILIK UZAY SANAYİİ_xlsx.exe” to mislead recipients into executing the malicious payload.
The Snake Keylogger variation exhibits advanced persistence features and refined evasion tactics that enable it to function unnoticed within compromised devices.
Upon activation, the malware promptly sets up multiple persistence layers while concurrently deploying anti-detection strategies to guarantee ongoing access to victim machines.
The campaign’s specific focus on defense industry contractors signifies a tactical emphasis on high-stakes intelligence-gathering endeavors.
Malwation analysts recognized this particular variant during their examination of recent phishing efforts, highlighting the malware’s clever utilization of legitimate Windows utilities to sustain persistence and bypass security measures.
.webp)
The sample, identified by the SHA256 hash 0cb819d32cb3a2f218c5a17c02bb8c06935e926ebacf1e40a746b01e960c68e4, appears as a PE32 executable crafted in .NET, utilizing several unpacking layers to obscure its real functions.
The keylogger’s chief targets comprise credentials, cookies, and financial data gathered from over 30 various browsers and email clients, including Chrome, Firefox, Outlook, and Thunderbird.
.webp)
Moreover, the malware collects autofill information, credit card details, download histories, and frequently visited sites from compromised devices before exfiltrating the acquired data via SMTP to mail.htcp.homes servers.
Advanced Persistence and Evasion Mechanisms
The malware adopts a dual strategy to establish persistence while avoiding detection systems.
Upon activation, it promptly invokes PowerShell to include itself in Windows Defender’s exclusion list employing the command Add-MpPreference -Excl, effectively nullifying the built-in antimalware safeguards.
This action is carried out through the NtCreateUserProcess system call, initiating powershell.exe with elevated rights to alter security settings.
Concurrently, the malware generates a scheduled task titled “UpdatesoNqxPR” utilizing schtasks.exe to guarantee automatic execution during system startup.
The method of creating the scheduled task involves producing an XML configuration file that delineates the execution parameters, enabling the malware to persist across system reboots without user action.
This strategy exploits authentic Windows task scheduling features, rendering detection considerably more difficult for conventional security solutions.