Snake Keylogger — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/actors/snake-keylogger/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 14:22:00 +0000Suspicious Process Accessing Browser Password Storehttps://feed.craftedsignal.io/briefs/2024-01-browser-credential-access/Wed, 03 Jan 2024 14:22:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-browser-credential-access/Detection of non-browser processes accessing browser user data folders, a tactic used by malware such as Snake Keylogger to steal credentials and sensitive information.This threat brief focuses on detecting unauthorized access to browser password stores, a technique commonly employed by credential-stealing malware such as Snake Keylogger. These attackers aim to exfiltrate sensitive information, including stored credentials and browsing history, by accessing browser user data profiles. This activity is detected by monitoring Windows Security Event logs (EventCode 4663) and comparing process access patterns against an expected list of browser applications via the browser_app_list lookup table. The detection identifies processes that are not recognized as legitimate browser applications but are attempting to access browser user data. This technique has been observed in trojan stealers, where credential access is a key component of their information-gathering strategy. This method allows defenders to quickly pivot and discover potentially malicious processes on the system, such as credential stealers.

Attack Chain

  1. A user downloads and executes a malicious file, often disguised as a legitimate application or document.
  2. The malicious file executes, dropping a stealer component into the system.
  3. The stealer process initiates an attempt to access browser user data profiles.
  4. Windows generates a Security Event Log (EventCode 4663) when the stealer attempts to access a browser data file.
  5. The detection analytic identifies processes accessing the browser data folder not present in the browser_app_list lookup file.
  6. The stealer process reads sensitive information, such as usernames, passwords, and browsing history, from the accessed files.
  7. The collected data is staged for exfiltration, potentially compressed or encrypted.
  8. The stolen credentials and information are exfiltrated to a command-and-control server.

Impact

Successful exploitation leads to the theft of user credentials, potentially granting attackers unauthorized access to sensitive accounts and systems. This can result in data breaches, financial loss, and reputational damage. The Snake Keylogger, for example, is known to target credentials, potentially impacting a wide range of users and organizations. Other stealers like Meduza Stealer, 0bj3ctivity Stealer, and BlankGrabber Stealer also utilize similar techniques, showing the widespread impact. The impact spans across various sectors, as credential theft is a generic attack applicable to almost any environment.

Recommendation

  • Enable Windows Security Event Logging, specifically event code 4663, with auditing enabled for both success and failure events, to capture object access attempts (reference: search description).
  • Populate and maintain the browser_app_list lookup table with known and allowed browser processes and their associated paths (reference: search description).
  • Deploy the provided Sigma rule to your SIEM to detect anomalous processes accessing browser password stores, and tune it for your specific environment (reference: rules).
  • Investigate any alerts generated by the Sigma rule to identify potentially compromised systems and user accounts (reference: rules).
]]>highthreatcredential-accessstealerwindows