DIGITAL LIFE

ESET: SnakeStealer strikes again and steals personal data

Created to steal valuable information, infostealers remain one of the most persistent threats in the cybersecurity landscape. ESET has been identifying several campaigns, but in the first half of the year, one "family" stands out.

Known as SnakeStealer, this threat emerged in 2019, originally identified as 404 Keylogger or 404 Crypter in cybercriminal forums, explain researchers from the cybersecurity company.

In its early variants, SnakeStealer used Discord to host its malicious payloads, which victims inadvertently downloaded after opening suspicious email attachments. The first major "wave" of infostealer activity occurred between 2020 and 2021.

Meanwhile, the way the threat spreads has changed over time. Although it continues to use attachments in phishing messages, the malicious payload is disguised in different ways. These include password-protected ZIP files, as well as "trapped" RTF, ISO, and PDF files, and it can also be bundled with other types of malware. SnakeStealer also hides within pirated software and fake apps, according to ESET.

Researchers explain that, like other modern threats, SnakeStealer follows a "malware as a service" (or MaaS) model. Through this model, the infostealer operators rent or sell access to the malicious software, including technical support and updates.

According to ESET, the recent resurgence of SnakeStealer is no coincidence. With the decline of Agent Tesla, which lost support from its developers, SnakeStealer began to be recommended in cybercriminal channels on Telegram.

Because it is modular, cybercriminals can choose which SnakeStealer functions they want to activate. To avoid detection, the infostealer uses techniques that involve, for example, terminating processes associated with security tools and malware analysis, and checking for virtual environments.

The malicious software, which extracts passwords saved in browsers, databases, Wi-Fi networks, and email and chat platforms, also alters Windows settings to maintain access on compromised systems. But that's not all: SnakeStealer has the ability to steal data from the clipboard, take screenshots, and keep track of keystrokes, as well as send the stolen data through various channels.

To help strengthen security and stay protected against threats like SnakeStealer, experts recommend that you remain suspicious of unsolicited messages and emails.

It is important that you keep your equipment's operating system properly updated, applying the same measure to the applications you use. You should also enable multifactor authentication whenever possible.

If you suspect you have been affected, ESET recommends that you change all passwords on a "clean" device, close any open sessions, and keep a close eye out for any suspicious activity.

In its early versions, it used the Discord platform to host the stealer, which was downloaded after the victim interacted with a file attached to a phishing email. Although hosting malware on servers associated with legitimate services was already an existing technique, the popularization of this platform among cybercriminals would occur in the following years.

Between 2020 and 2021, this malicious code registered its peak in relation to campaigns associated with it, without showing geographical preference. Detections occurred in several countries around the world, but there were no records of complete campaigns targeting Latin America.

Over the years, the way the payload reached the victim has diversified, although the first contact still occurs mostly through a phishing attachment: from the password-compressed payload itself, to less common file types (such as RTF or ISO) used as downloaders, or even packaged with other threats. There are some recorded cases of SnakeStealer disguised as cracks or fake applications on the web, although these appear to be sporadic situations.

How to protect yourself...In a world where every piece of data has real monetary value, whether for companies, users, or cybercriminals, it is important to reduce the risk of infection by following best practices, such as:

-Keeping the operating system and applications updated.

-Using security software on both computers and mobile devices.

-Be suspicious of attachments and links in unsolicited emails or messages. If they come from a known entity or brand, contact them through an official channel to verify the message's authenticity.

-Activate multifactor authentication (MFA) in services and programs that allow it, to prevent unauthorized access if your password is stolen.

-In case of suspected infection, change all passwords from another device, revoke already opened sessions, and remain alert to suspicious activity on accounts.

mundophone