HP Threat Research Blog Snake Keylogger’s Many Skins: Analysing Code Reuse Among Infostealers

June 28, 2021 Category: Threat Research By: Patrick Schläpfer Comments: 0

Snake Keylogger’s Many Skins: Analysing Code Reuse Among Infostealers

Snake is a modular .NET keylogger and credential stealer first spotted in late November 2020. Since then, we’ve seen campaigns spreading this malware almost daily. Snake’s name was derived from strings found in its log files and string obfuscation code. Using the malware’s builder, a threat actor can select and configure desired features then generate new payloads. For this reason, the capabilities of samples found in the wild can vary. This article describes Snake’s capabilities, its infection chain and code similarities with four other commodity keyloggers.