The increase in geopolitical tensions in the Middle East, with the conflict between Iran and Israel and the recent US involvement, could have a direct and global impact on logistics and oil prices.<\/p>\n\n\n\n
This element could be used within social engineering phishing as has been detected in this case. This could be an indicator that the target of the campaign could be against organisations in the oil sector. On the other hand, they could exploit this theme due to the growing fear that is being generated in the Middle East regarding the possible increase in the price of oil and possible logistical problems in the event of a hypothetical closure of the Strait of Hormuz. <\/p>\n\n\n\n
Within the body of the email it can be seen that it is intended to impersonate one of Kazakhstan’s main oil companies: LLP KSK PETROLEUM LTD OIL AND GAS. Kazakhstan is one of the largest oil producers in Central Asia and a major gas producer.2<\/a><\/sup><\/p>\n\n\n\n The campaign will use spearphishing emails offering oil products with a malicious attachment containing a zipped file.<\/p>\n\n\n This archive will contain a number of binaries, including the legitimate executable jsadebugd.exe vulnerable to the Sideloading Dll technique which will have been renamed to \u2018001 PETROLEUMLTD LLP KSK SCO 1 ORIGINAL (1).exe\u2019. When executed by the user this executable will load the malicious DLL jli.dll.<\/p>\n\n\n The Snake Keylogger binary will be stored inside the file \u2018concrt141.dll\u2019. To evade detection by security tools, binary data will have been added to the beginning of the file, just before the MZ header.<\/p>\n\n\n This binary will be injected into the legitimate InstallUtil.exe<\/strong> process. As a form of persistence, the contents of the compressed file will be copied to the folder “%USERPROFILE%\\SystemRootDoc”.<\/strong> The persistence key “SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\001 PETROLEUMLTD LLP KSK SCO 1 ORIGINAL (1)”<\/strong> will then be created with the command “cmd.exe \/C start “” \/D “%USERPROFILE%\\SystemRootDoc” “%USERPROFILE%\\SystemRootDoc\\001 PETROLEUMLTD LLP KSK SCO 1 ORIGINAL (1).exe”.<\/strong><\/p>\n\n\n The SnakeLogger malware will send the IP of the computer along with the country of origin using legitimate websites such as reallyfreegeoip.org<\/strong> and checkip.dyndns.org.<\/strong><\/p>\n\n\n Snake Keylogger will also exfiltrate passwords from various applications and browsers.<\/p>\n\n\n Below is the complete list of browsers from which data was collected by the sample.<\/p>\n\n\n\n The full list of applications collected by the sample is shown below.<\/p>\n\n\n\n In addition the malware will collect the Windows product key of the device.<\/p>\n\n\n All this information will be exfiltrated through the SMTP protocol by sending mails from the account serverhar244@gpsamsterdamqroup[.]com<\/strong> to harrysnakelogger@dklak[.]cam.<\/strong><\/p>\n\n\n In addition to the analysed sample, 29 others have been identified that also make use of the legitimate jsadebugd.exe binary. This behaviour has not been observed previously and seems to be characteristic of this specific campaign. All the samples have been attributed to the same group, as they deploy variants of the Snake Keylogger family, which reinforces the hypothesis of a coordinated operation led by the same actor.<\/p>\n\n\n\n This article analyzes how the actors behind Snake Keylogger take advantage of the current geopolitical situation, in the context of the recent conflict between Iran and Israel and the possible closure of the Strait of Hormuz, to extend its reach and infect new targets. In addition, the group behind this campaign is reportedly using jsadebugd, a legitimate Java executable vulnerable to the DLL sideloading technique, the use of which for malicious purposes has not previously been observed. This suggests an evolution in the group’s tactics, aimed at evading established detection mechanisms.<\/p>\n\n\n\n The current situation of uncertainty in the Middle East could lead to increased interest from international energy companies in looking for new viable options to buy or sell oil products. In this case, this campaign could seek to take advantage of this profile of energy organisations.<\/p>\n\n\n\nAnalysis<\/h1>\n\n\n\n
![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2025\/06\/Captura-desde-2025-06-25-09-14-30.png\")
![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2025\/06\/Captura-desde-2025-06-25-17-45-53.png\")
![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2025\/06\/imagen-1.png\")
![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2025\/06\/Captura-desde-2025-06-25-18-03-16.png\")
![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2025\/06\/imagen-1024x57.png\")
![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2025\/06\/Captura-desde-2025-06-26-11-48-54.png\")
\n
\n
![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2025\/06\/Captura-desde-2025-06-26-18-16-29-1024x168.png\")
![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2025\/06\/Captura-desde-2025-06-26-11-46-12.png\")
Conclusion<\/h1>\n\n\n\n
References<\/h1>\n\n\n\n
\n
Indicators of Compromise (IoC)<\/h1>\n\n\n\n
Network indicators<\/h3>\n\n\n\n