The NJCCIC’s email security solution observed a recent surge in campaigns disseminating 404 Keylogger infostealing malware. 404 Keylogger, also known as SnakeKeylogger, is both a downloader and an information-stealing malware. This malware-as-a-service can steal credentials, log keystrokes, capture screenshots, harvest emails, and grab clipboard data.

The most recent email campaign includes messages claiming to be requests for invoices and product inquiries. The emails contain compressed executables disguised as Microsoft Word documents utilizing Packager Shell Objects (OLE) to exploit vulnerabilities found in Equation Editor. Upon successful exploitation, the LCG Kit downloads and installs AgentTesla and 404 Keylogger.

In another campaign, the phishing emails contained Microsoft Excel attachments. OLE was also utilized to download an HTML Application (HTA) file, which invoked PowerShell to download an executable file to install 404 Keylogger. Once installed, 404 Keylogger issues further PowerShell commands to evade detection and edit scheduled tasks to maintain persistence on the victim’s device. Another security researcher recently alerted users to an uptick in 404 Keylogger attacks; however, the attack vector has not been disclosed despite
calling it a zero-day detection.

Recommendations

• Avoid clicking links and opening attachments in unsolicited emails.
• Confirm requests from senders via contact information obtained from verified and official sources.
• Type official website URLs into browsers manually.
• Facilitate user awareness training to include these types of phishing-based techniques.
• Maintain robust and up-to-date endpoint detection tools on every endpoint.
• Consider leveraging behavior-based detection tools rather than signature-based tools.
• Report phishing emails and other cyber activity to the FBI’s IC3 and the NJCCIC.