Technical Analysis of Phishing Campaigns Targeting the Defense Industry Delivering Snake Keylogger
.png)
In recent months, our research team have identified a sophisticated phishing campaign targeting Turkish enterprises, particularly those in the defense and aerospace sectors. Threat actors are fraudulently impersonating TUSAŞ (Turkish Aerospace Industries), a prominent Turkish defense contractor, to distribute malicious emails disguised as contractual documents. These emails deliver a variant of the Snake Keylogger, a notorious information-stealing malware, under the guise of files such as "TEKLİF İSTEĞİ - TUSAŞ TÜRK HAVACILIK UZAY SANAYİİ_xlsx.exe." Once executed, the malware employs advanced persistence mechanisms—including PowerShell commands to evade Windows Defender and scheduled tasks for auto-execution—to harvest sensitive data, such as credentials, cookies, and financial information, from a wide range of browsers and email clients. The incident has been formally reported to Turkey's National Computer Emergency Response Team (USOM), and collaborative efforts are underway to notify potentially compromised victims and mitigate further risks. This article provides a technical deep dive into the malware’s unpacking process, anti-analysis techniques, and exfiltration methods, alongside actionable intelligence such as decrypted configurations and custom YARA rules to aid defenders in detecting similar threats.
Overview
| Filename | TEKLİF İSTEĞİ - TUSAŞ TÜRK HAVACILIK UZAY SANAYİİ_xlsx.exe |
|-------------|----------------------------------------------------------------------|
| SHA256 | 0cb819d32cb3a2f218c5a17c02bb8c06935e926ebacf1e40a746b01e960c68e4 |
| File Type | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| MIME Type | application/x-dosexec |
This Sample is a variant of the Snake Keylogger distributed to companies operating in Turkey as a contract file from a defense industry company based in Turkey.
Analysis Report On Threat.Zone
The sample initiates multiple suspicious processes, including PowerShell and scheduled tasks, suggesting persistence mechanisms.
The sample runs a PowerShell command to add itself to the Windows Defender exclusion list to evade detection and maintain persistence. The details of this operation can be further analyzed using the Syscalls feature on Threat.Zone.
NtCreateUserProcess(
Status:0x0,
NewProcessHandle:0x698,
NewPid:4076,
NewThreadHandle:0x68c,
NewTid:3400,
CommandLine:\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" Add-MpPreference -ExclusionPath \"C:\\Users\\Jason\\Desktop\\TEKL\304\260F \304\260STE\304\236\304\260 - TUSA\305\236 T\303\234RK HAVACILIK UZAY SANAY\304\260\304\260_xlsx.exe\",
ImagePathName:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe,
DllPath:empty,
CWD:C:\Users\Jason\Desktop\,
Bitness:32
) // TEKLİF İSTEĞİ - TUSAŞ TÜRK HAVACILIK UZAY SANAYİİ_xlsx.exe PID:2888 TID:2164Additionally, the sample creates a scheduled task to automatically execute itself at system startup, ensuring persistence.
NtCreateUserProcess(
Status:0x0,
NewProcessHandle:0x4d8,
NewPid:3264,
NewThreadHandle:0x580,
NewTid:2960,
CommandLine:\"C:\\Windows\\System32\\schtasks.exe\" /Create /TN \"Updates\\oNqxPR\" /XML \"C:\\Users\\Administrator\\AppData\\Local\\Temp\\tmp3E09.tmp\",
ImagePathName:C:\Windows\SysWOW64\schtasks.exe,
DllPath:empty,
CWD:C:\Users\Jason\Desktop\,
Bitness:32
) // TEKLİF İSTEĞİ - TUSAŞ TÜRK HAVACILIK UZAY SANAYİİ_xlsx.exe PID:2888 TID:2268
Advanced Analysis
First Glance
According to Detect It Easy, the sample is malware written in .NET, so we will continue the analysis with dnSpy.
Sample was opened on dnSpy with the assembly name `vJfV.exe`.
When going to the entry point of the Sample, a Windows Forms Application initalization process was seen.
The form that is run at the beginning of the sample is called `temperatureConverterForm`, it contains buttons that perform harmless temperature conversion operations.
There is `InitalizeComponent` function and [`Activator.CreateInstance`](https://learn.microsoft.com/en-us/dotnet/api/system.activator.createinstance?view=net-9.0) function in the form constructor where component initalization operations are performed. With this function, an instance of the Type loaded into the variable named `bouncer` is created and executed.
In the `InitalizeComponent` function, in addition to the component initalization operations, which is the real purpose of the function, the file to be run in memory is loaded with `Assembly.Load` and the variable named `bouncer` is assigned.
Unpacking with Chiron
At runtime, Sample shows a matryoshka-type behavior by loading one or more files into memory. To unpack such behavior, we will use the [Chiron Unpacker](https://github.com/Malwation/Chiron-Unpacker) project developed by the MTR team. Chiron Unpacker saves the .NET binaries loaded into memory after running the file in a special AppDomain.
Since Chiron is a dynamic unpacker, it is run inside a virtual machine.
By running with this command, resource-unpack mode is activated:
Chiron-Unpacker.exe -f sample_path -o output_path -r
When the Resource decrypted by Chiron is opened on dnSpy, we see the file that performs the malicious operations. The sample saved as `jVf4P.bin` was opened on dnSpy under the name `Remington`.
Snake Keylogger Functionalities
When the sample is opened, it initially performs operations such as Anti-(VM, Sandboxie, Windows Defender, TaskMgr), but all of them were found to be empty.
Sample includes some functions that extract data from mail clients (Outlook, FoxMail, ThunderBird etc.).
After creating a variable that holds the password types in this function, it travels in reg keys that hold Outlook related data. It classifies the data it finds according to the types it and decrypts them with the `decryptOutlookPassword` function.
In the sample, functions that steal Autofill, Credit Card, Downloads, TopSites, Cookies data from all of the following services were seen.
- Chrome
- Firefox
- QQ
- CocCoc
- orbitum
- Amigo
- Xpom
- Kometa
- Nichrome
- Slimjet
- Iridium
- Vivaldi
- Iron
- Chromium
- Ghost
- Cent
- xVast
- Chedot
- Superbird
- 360_English
- 360_China
- Comodo
- Brave
- Torch
- UC
- Blisk
- Epic
- Kinza
- BlackHawk
- Citrio
- Uran
- Coowon
- 7Star
- QIPSurf
- Sleipnir
- Chrome_Canary
- CoolNovo
- Sputnik
- Falkon
- MicrosoftEdge
This function is responsible for the AntiBot (or Sandbox) feature. Some of the ip addresses in this function belong to sandboxes.
This function is responsible for sending the stealed data through the communication channel (SMTP, FTP, Server, Telegram, Discord) specified by the threat actor.
Config Extraction
According to the configuration, SMTP was used for communication:
It was seen that SMTP credentials was DES Encrypted.
You can find Python script that decrypts DES encryption below:
from Crypto.Cipher import DES
import base64
import hashlib
def md5(string: bytes) -> bytes:
return bytes.fromhex(hashlib.md5(string).hexdigest())
def DES_Decrypt(text, key_string):
key = md5(key_string.encode('ascii'))[:8]
decoded_base64 = base64.b64decode(text)
cipher = DES.new(key, DES.MODE_ECB)
decrypted_data = cipher.decrypt(decoded_base64)
decrypted_text = decrypted_data.decode('ascii', errors='ignore')
padding_len = decrypted_data[-1]
if padding_len < len(decrypted_data):
return decrypted_text[:-padding_len]
return decrypted_text
des_key = "BsrOkyiChvpfhAkipZAxnnChkMGkLnAiZhGMyrnJfULiDGkfTkrTELinhfkLkJrkDExMvkEUCxUkUGr"
SMTP_Email = DES_Decrypt("oKnNXjF/996A6rKcL17Mjd/X1X93joJ2", des_key)
# SMTP_PWD = DES_Decrypt("...", des_key)
SMTP_Server = DES_Decrypt("wV51Ia4jiwhF7x74OH8OKA==", des_key)
SMTP_Reciever = DES_Decrypt("dQlDGPXtKgtnNbdu91hVy2Me+HSdEz9z", des_key)
SMTP_PORT = DES_Decrypt("oXrxxBiV5W8=", des_key)
print(f"Email: {SMTP_Email}\nPassword: ...\nServer: {SMTP_Server}\nReciever: {SMTP_Reciever}\nPort: {SMTP_PORT}")
Output:
Email: royals@htcp.homes
Password: ...
Server: mail.htcp.homes
Reciever: royal@htcp.homes
Port: 587
YARA Rule of Cassandra Protector
import "dotnet"
import "pe"
import "math"
rule SUSP_NET_Cassandra_Protector_Feb_11 : EXE NET {
meta:
description = "This rule detects samples built with Cassandra."
author = "Utku / Malwation"
date = "2025-02-11"
sharing = "TLP:CLEAR"
tags = "windows,exe,dotnet,suspicious,protector"
sample = "0cb819d32cb3a2f218c5a17c02bb8c06935e926ebacf1e40a746b01e960c68e4"
reference = "https://app.threat.zone/submission/64115637-e2c8-48c9-8d75-f1de2cf7c9f9"
os = "Windows"
category = "Suspicious"
strings:
$lib1 = "System.Drawing.Bitmap" ascii
$lib2 = "QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" ascii
$lib3 = "System.Resources.ResourceReader" ascii
$lib4 = "System.Reflection" ascii
$func1 = {28 ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 0A 19 ?? ?? ?? ?? ?? 25 16 ?? ?? ?? ?? ?? A2 25 17 ?? ?? ?? ?? ?? A2 25 18 ?? ?? ?? ?? ?? A2 0B 06 07 0C 08 28 ?? ?? ?? ??}
condition:
dotnet.is_dotnet
and filesize < 2MB
and dotnet.number_of_resources > 1
and for any i in (0..pe.number_of_sections - 1): (
(math.entropy(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) > 7.7 and
(pe.sections[i].name == ".text" or pe.sections[i].name == ".rsrc"))
)
and (all of ($lib*))
and ($func1)
}
Hashes
| Filename | Hash |
|----------|------------------------------------------------------------------|
| Montero | 3c9cddf85962249a967b3827e3edb4acb710dc0e3088c619342e2ce6df35bfbc |
| vJfV | 82fa8156e9d4fb47cd20908818b9172f86ed13eb683041658f242c58ce0a9cff |
| jVf4P | 2859b8700fc6111c40b806d114c43e2e3b4faa536eeab57d604818562905b911 |
| Captive | 11f577cc6b6af304332d47fba2122ffb193e81378662ea7093ebe971107d89d6 |
