By rssfeeds-admin 
Attackers deliver this malicious tool using the known HijackLoader malware. Once installed, SnappyClient provides hackers with extensive control over a victim’s machine.
Its capabilities include taking screenshots, recording keystrokes, opening a remote terminal, and stealing sensitive data from web browsers and other applications.
Attack Chain and Evasion Tactics
The deployment of SnappyClient often begins with deceptive websites. In one observed campaign, attackers created a fake website mimicking the Telefónica website, a major telecommunications company.
The site targeted German-speaking users by displaying realistic product features and branding. When a victim visited the page, the HijackLoader executable automatically downloaded to their system.
If the user ran the file, HijackLoader decrypted and launched SnappyClient. Researchers also observed SnappyClient being spread through social media, utilizing a GhostPulse and ClickFix intrusion chain.
To stay hidden from security software, SnappyClient uses advanced evasion tricks. It bypasses the Antimalware Scan Interface (AMSI) by altering how the system checks for malicious code, forcing the scanner to always report the process as clean.
The malware also uses techniques such as Heaven’s Gate, direct system calls, and transactional hollowing to mask its activities and avoid triggering endpoint detection systems.
Furthermore, it checks if a device is on a “banned” list to avoid running in security research environments.
Configuration and Network Communication
SnappyClient uses plaintext JSON configuration hidden within its code. This setup file dictates the malware’s basic rules, such as where to store stolen data and how to establish persistence to survive computer restarts.
Once active, the implant connects to its C2 server to download two encrypted databases: EventsDB and SoftwareDB.
EventsDB tells the malware what actions to take when specific conditions are met, such as stealing clipboard data if it matches a certain pattern. SoftwareDB provides a list of specific web browsers and applications to target for data theft.
The malware communicates with its server using a highly secure, custom TCP network protocol.
All messages are compressed and then encrypted using the ChaCha20-Poly1305 algorithm to prevent defenders from reading the network traffic. When the malware first connects, it sends a detailed registration message to the attackers.
| Registration Data Collected | Description |
|---|---|
| System Identity | Computer name, username, and a unique system ID . |
| Hardware Specs | Total RAM, processor count, and display monitor details . |
| Software Environment | Windows version, installed antivirus tools, and targeted applications . |
| Activity Metrics | Active window title and time elapsed since the last user input . |
After registration, the server can issue various commands. Attackers can grab screenshots, manage running processes, or explore the victim’s files.
Zscaler malware even includes a built-in compression tool that uses the 7-Zip library to secretly archive and extract files before stealing them. These extensive features make SnappyClient a highly capable tool for modern cyber espionage and data theft.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post New SnappyClient Implant Enables Remote Access, Data Theft, and Stealth appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.