Snake malware by Jacques gascuel This article will be updated with any new information on the topic, and readers are encouraged to leave comments or contact the author with any suggestions or additions.
Snake: The Russian malware that steals sensitive information for 20 years
Snake is a malware that allows Russian intelligence services to collect and transmit sensitive information from hundreds of infected computers across 50 countries. It is a very sophisticated espionage tool, designed and used by Center 16 of the Federal Security Service of the Russian Federation (FSB) for long-term operations on strategic targets.
2024 Digital Security
December 16, 2024
2024 Digital Security
December 6, 2024
2024 Digital Security
November 14, 2024
2024 Digital Security
October 15, 2024
2024 Digital Security
September 3, 2024
2024 Articles Digital Security News
August 31, 2024
2024 Digital Security Spying Technical News
August 20, 2024
2024 Digital Security
August 12, 2024
Snake: The Russian malware that steals sensitive information for 20 years
Snake is a malware that allows Russian intelligence services to collect and transmit sensitive information from hundreds of infected computers across 50 countries. It is a very sophisticated espionage tool, designed and used by Center 16 of the Federal Security Service of the Russian Federation (FSB) for long-term operations on strategic targets.
The origin of the name Snake
The malware authors named the malware Snake themselves, as it appears in the data that Snake exfiltrates from compromised systems. It is also known by the names Uroboros, Turla, Venomous Bear or Waterbug. These names are used by different security researchers or vendors to refer to the same malware family.
The Mac version of Snake malware
In 2017, security researchers discovered a Mac version of Snake malware. It had many similarities with the Windows version, such as the use of encryption and fragmentation for communication, the ability to execute commands and download modules, and the presence of the name “Snake” in the exfiltrated data. However, it also had some differences, such as the use of a fake Adobe Flash Player installer to infect systems, the use of a launch daemon to achieve persistence, and the use of a Python script to run the main payload. The Mac version of Snake malware showed that the FSB was expanding its target range to include Mac users.
What is Snake?
Snake is a malware that implants itself on infected systems and steals confidential information, such as documents, communications or credentials. It is implemented in the .NET programming language and uses custom communication protocols that employ encryption and fragmentation to ensure confidentiality and avoid detection. It is capable of spreading on local networks and bypassing security measures.
The name Snake comes from the name that the malware authors gave it themselves, as it appears in the data that Snake exfiltrates from compromised systems1. It is also known by the names Uroboros, Turla, Venomous Bear or Waterbug.
The technical features of Snake
Snake is implemented in the .NET programming language and custom communication protocols with encryption and fragmentation are the tools that Snake uses to ensure confidentiality and avoid detection. It is capable of spreading on local networks and bypassing security measures. It can also execute commands on infected systems and download additional modules or payloads.
Another variant of Snake malware is Snake ransomware, also known as Ekans. This variant targets manufacturers and industrial control systems. It can infect an entire network before activating and encrypting files. It also attempts to stop processes related to industrial control systems, such as SCADA and HMI software. This can cause serious disruption and damage to critical infrastructure. Snake malware as a ransomware threat demands a ransom in Bitcoin to decrypt the files. Some of its victims include Honda and Enel Group.
How does Snake work?
Snake works by creating a covert peer-to-peer (P2P) network of many infected computers worldwide. Many of these systems serve as relay nodes that route disguised operational traffic to and from Snake implants on the FSB’s final targets. Thus, Snake creates an almost undetectable way to transmit stolen information to Russia.
Snake mainly targets sectors of interest for Russian intelligence, such as governments, research facilities, journalists, or financial and technological sectors. Among the identified victims are NATO member countries, media and educational organizations in the United States, or critical infrastructure sectors such as government facilities, financial services, critical manufacturing or communications2.
Snake has been used by the FSB since 2004 and has undergone numerous adaptations and revisions to remain viable after several public disclosures and other mitigation measures2. On the computers it has compromised, the Snake implant persists indefinitely on the system, usually without being detected by the owner or authorized users of the system3.
The disclosure and disruption of Snake
On May 9, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) and its partners issued a joint advisory to disclose the threat of Snake malware. The advisory provides technical descriptions of the malware’s host architecture and network communications, and mitigations to help detect and defend against this threat. On the same day, the US Department of Justice announced the completion of a court-authorized operation, code-named MEDUSA, to disrupt a global peer-to-peer network of computers compromised by Snake malware.
An example of technical analysis of Snake malware
To illustrate how Snake malware works in detail, we will use an example of technical analysis conducted by FortiGuard Labs on a fresh variant of Snake keylogger malware. This variant was captured in November 2021 and was delivered as an Excel file with malicious macro code. The main payload of Snake keylogger malware was an executable file named “Requests07520000652.exe”, which the macro code downloaded and executed
Snake malware’s core component
Several embedded resources were contained in the main payload, which was a .NET assembly file. Reflection loaded another .NET assembly file named “Guna.UI2.dll” into memory, which was one of theml”, which was loaded into memory by reflection. This file contained the core functionality of Snake keylogger malware, such as stealing information, taking screenshots, capturing clipboard data, and communicating with a command and control (C2) server.
How Snake malware steals sensitive data
The information stealing module was responsible for collecting various types of sensitive information from the infected system, such as:
- System information: computer name, user name, operating system version, processor architecture, etc.
- Saved credentials: passwords stored in browsers (Chrome, Firefox, Edge), email clients (Outlook), FTP clients (FileZilla), etc.
- Keystrokes: keyboard input from various applications (browsers, email clients, chat programs, etc.)
- Screenshots: images of the desktop or active window at regular intervals
- Clipboard data: text or images copied to the clipboard
Snake stored the collected information in a temporary folder with random names and encrypted it with AES.
How Snake malware communicates with its operators
After the previous subsection, you can add this subsection:
The communication module was responsible for sending the encrypted information to a C2 server and receiving commands from it. The C2 server used a domain name that was generated by an algorithm based on the current date. The communication protocol used HTTP POST requests with custom headers and parameters. Snake encoded the data with Base64 and encrypted it with AES.
Some of the commands that the C2 server could send to the malware were:
- GetInfo: request system information from the malware
- GetLogs: request keystroke logs from the malware
- GetClipboard: request clipboard data from the malware
- GetScreen: demander des captures d’écran du malware
- Mise à jour : téléchargez et exécutez une version mise à jour du malware
- Désinstaller: supprimer le malware du système
How Operation MEDUSA neutralized Snake
After the previous paragraph, you can add this subsection:
Operation MEDUSA used a tool created by the FBI named PERSEUS, which issued commands that caused the Snake malware to overwrite its own vital components. This effectively disabled the malware on infected computers and prevented it from communicating with other nodes or exfiltrating data. The operation also seized several domains used by Snake to communicate with its infrastructure.
How to mitigate against Snake
After the previous subsection, you can add this subsection:
The joint advisory from CISA and its partners provides several recommendations to mitigate against Snake malware. These include:
- Updating antivirus software and scanning for indicators of compromise (IOCs)
- Implementing network segmentation and firewall rules
- Applying security patches and updates
- Enforcing strong password policies and multi-factor authentication
- Disabling unnecessary services and ports
- Educating users about phishing and social engineering
- Reporting any suspicious activity or incidents to CISA or law enforcement
How to detect Snake?
The detection of Snake can be difficult due to its high level of stealth and its use of custom protocols. However, there are some ways to identify the presence of the malware on a system or a network.
How extensive is Snake infection?
According to partner agencies that issued the joint warning on Snake, malware infrastructure has been identified in more than 50 countries across North America, South America, Europe, Africa, Asia and Australia, including the United States and Russia itself2. Although Snake uses infrastructure across all industries, its targeting is purposeful and tactical. Globally, the FSB has used Snake to collect sensitive intelligence from high-priority targets, such as government networks, research facilities and journalists. For example, FSB actors used Snake to access and exfiltrate sensitive international relations documents, as well as other diplomatic communications, from a victim in a NATO country2. In the United States, the FSB has affected sectors such as education, small businesses and media organizations, as well as critical infrastructure sectors such as government facilities, financial services, critical manufacturing and communications2.
Snake: All its features to collect sensitive data on compromised systems
Snake has a set of features that allow it to collect various sensitive data on compromised systems. Among these features are:
- The ability to execute arbitrary commands remotely on the infected system.
- The ability to download or upload files from or to the infected system.
- The ability to enumerate or modify Windows registry keys or values.
- The ability to enumerate or modify files or directories present on the infected system.
- The ability to enumerate or modify processes or services running on the infected system.
- The ability to capture screenshots of the infected system.
- The ability to record keystrokes (keylogging) on the infected system.
- The ability to collect various information about the infected system, such as its hostname, IP address, username or password1.
What are the statistics on Snake malware?
There are no official statistics on the exact number of computers infected by Snake or on the amount of information stolen by malware. However, we can rely on some indicators to get an approximate idea of the scale of phenomenon.
What are technical characteristics of snake?
Snake is a feature-rich malware that poses a significant threat to users’ privacy and security. Some of its technical characteristics are:
How can you prevent snake from stealing your sensitive data?
To prevent snake from stealing your sensitive data , you should follow some best practices in terms of computer security . These include :
- Regularly update operating systems and applications with latest security patches .
- Use effective antivirus and antimalware solutions and keep them up date .
- Enable firewall and configure strict rules limit incoming outgoing traffic .
- Apply principle least privilege limit access sensitive data only authorized users .
- Educate users risks related unsolicited suspicious emails attachments .
- Perform regular backups important data store them offline secure location .
- Monitor anomalies suspicious activities networks report any potential incident .
For more information snake how protect yourself it , you can consult joint warning issued by intelligence cybersecurity agencies 2 threat analysis report published by Cybereason 1 .
How can you remove snake from your system?
To remove snake from your system , you should follow some steps :
- Disconnect your system from network prevent further communication with snake infrastructure .
- Scan your system with updated antivirus antimalware tools detect remove any traces snake components .
- Restore your system previous clean state using backups restore points .
- Change passwords any accounts may have been compromised snake .
- Report incident relevant authorities seek professional help needed .
Alternatively , you can use tool developed FBI called Perseus force snake self-destruct your system . This tool was used operation Medusa neutralize network snake United States May 2023 3 .
What are consequences data theft by snake?
The consequences data theft by snake can be serious both individuals organizations . Depending type data stolen , snake can :
- Compromise privacy security victims exposing their personal professional information .
- Cause financial losses damages victims stealing their credentials accessing their accounts .
- Disrupt operations services victims affecting their availability integrity .
- Undermine reputation trustworthiness victims damaging their image credibility .
- Endanger national security interests victims revealing their secrets strategies .
For example , snake was used FSB access exfiltrate sensitive international relations documents , well other diplomatic communications , victim NATO country 2 . This could have serious implications foreign policy security alliance .
What is impact snake malware businesses ?
The impact snake malware businesses can be significant depending type sector industry they belong . Businesses targeted snake may face :
- Loss competitive advantage innovation stealing their intellectual property trade secrets .
- Loss market share customers stealing their business plans customer data .
- Loss revenue profit stealing their financial information disrupting their operations .
- Loss reputation trust stealing their confidential information damaging their brand image .
- Legal regulatory compliance issues stealing their sensitive information violating their obligations .
For example , snake was used FSB victimize industries including education , small businesses media organizations United States 2 . These industries may have suffered economic social
Message reçu. Here is the same article in English, with some additions on how to prevent Snake from stealing your sensitive data, the technical characteristics of Snake, the consequences of data theft by the malware, and the impact of Snake on businesses and governments. # Snake: The Russian malware that steals sensitive information for 20 years Snake is a malware that allows Russian intelligence services to collect and transmit sensitive information from hundreds of infected computers across 50 countries. It is a very sophisticated espionage tool, designed and used by Center 16 of the Federal Security Service of the Russian Federation (FSB) for long-term operations on strategic targets. ## What is Snake? Snake is a malware that implants itself on infected systems and steals confidential information, such as documents, communications or credentials. It is implemented in the .NET programming language and uses custom communication protocols that employ encryption and fragmentation to ensure confidentiality and avoid detection. It is capable of spreading on local networks and bypassing security measures. The name Snake comes from the name that the malware authors gave it themselves, as it appears in the data that Snake exfiltrates from compromised systems. It is also known by the names Uroboros, Turla, Venomous Bear or Waterbug. ## How does Snake work? Snake works by creating a covert peer-to-peer (P2P) network of many infected computers worldwide. Many of these systems serve as relay nodes that route disguised operational traffic to and from Snake implants on the FSB’s final targets. Thus, Snake creates an almost undetectable way to transmit stolen information to Russia. Snake mainly targets sectors of interest for Russian intelligence, such as governments, research facilities, journalists, or financial and technological sectors. Among the identified victims are NATO member countries, media and educational organizations in the United States, or critical infrastructure sectors such as government facilities, financial services, critical manufacturing or communications. Snake has been used by the FSB since 2004 and has undergone numerous adaptations and revisions to remain viable after several public disclosures and other mitigation measures. On the computers it has compromised, the Snake implant persists indefinitely on the system, usually without being detected by the owner or authorized users of the system. ## How to detect Snake? The detection of Snake can be difficult due to its high level of stealth and its use of custom protocols. However, there are some ways to identify the presence of the malware on a system or a network. – On the infected system, it is possible to spot a Windows service named “Windows Error Reporting Service” that is not the legitimate service of the same name. This malicious service executes a file WerFault.exe hidden among the many valid Windows WerFault.exe files in the %windows%WinSxS directory. This file is responsible for decrypting and loading Snake’s components into memory. – On the infected network, it is possible to use network intrusion detection systems (NIDS) to identify some of the custom communication protocols of Snake, such as UDP with XOR fragmentation or TCP with RC4 encryption. These protocols are described in detail in the joint warning issued by partner agencies. ## How extensive is Snake infection? According to partner agencies that issued the joint warning on Snake, malware infrastructure has been identified in more than 50 countries across North America, South America, Europe, Africa, Asia and Australia, including the United States and Russia itself. Although Snake uses infrastructure across all industries, its targeting is purposeful and tactical. Globally, the FSB has used Snake to collect sensitive intelligence from high-priority targets, such as government networks, research facilities and journalists. For example, FSB actors used Snake to access and exfiltrate sensitive international relations documents, as well as other diplomatic communications, from a victim in a NATO country. In the United States, the FSB has affected sectors such as education, small businesses and media organizations, as well as critical infrastructure sectors such as government facilities, financial services, critical manufacturing and communications. ## Snake: All its features to collect sensitive data on compromised systems Snake has a set of features that allow it to collect various sensitive data on compromised systems. Among these features are: – The ability to execute arbitrary commands remotely on the infected system. – The ability to download or upload files from or to the infected system. – The ability to enumerate or modify Windows registry keys or values. – The ability to enumerate or modify files or directories present on the infected system. – The ability to enumerate or modify processes or services running on the infected system. – The ability to capture screenshots of the infected system. – The ability to record keystrokes (keylogging) on the infected system. – The ability to collect various information about the infected system, such as its hostname, IP address, username or password. ## What are the statistics on Snake malware? There are no official statistics on the exact number of computers infected by Snake or on the amount of information stolen by malware. However, we can rely on some indicators to get an approximate idea of the scale of phenomenon. – According to Cybereason , a cybersecurity company that analyzed a variant of malware in 2020 , Snake was distributed via a massive campaign malicious emails that affected more than 100 , 000 recipients in more than 30 countries [ ^1 ^ ] . – According to CISA , a US agency responsible for cybersecurity and security critical infrastructures that published a joint warning with several partners in 2023 , infrastructure malware has been identified in more than 50 countries across six continents [ ^2 ^ ] . – According to CBS News , an American media outlet that reported operation conducted by FBI to neutralize network Snake in United States in 2023 , malware was used for 20 years by FSB to collect sensitive intelligence from hundreds of infected computers [ ^3 ^ ] . ## What are technical characteristics of snake? Snake is a feature-rich malware that poses a significant threat to users’ privacy and security. Some of its technical characteristics are: – It is implemented in .NET programming language and uses custom communication protocols that employ encryption and fragmentation for confidentiality and avoid detection. – It consists of several components that are encrypted and stored either in files or registry keys on infected systems. These components are decrypted and loaded into memory at runtime by a loader component. – It uses different techniques for persistence on infected systems, such as creating malicious Windows services or modifying legitimate ones. – It uses different techniques for stealth on infected systems, such as hiding its files among valid Windows files or using steganography to hide its malicious code in PNG images. – It uses different techniques for propagation on local networks, such as exploiting vulnerabilities or using stolen credentials. – It uses different techniques for exfiltration of stolen data from infected systems, such as using custom UDP or TCP protocols with encryption or fragmentation, or using legitimate applications such as Telegram . ## How can you prevent snake from stealing your sensitive data? To prevent snake from stealing your sensitive data , you should follow some best practices in terms of computer security . These include : – Regularly update operating systems and applications with latest security patches . – Use effective antivirus and antimalware solutions and keep them up date . – Enable firewall and configure strict rules limit incoming outgoing traffic . – Apply principle least privilege limit access sensitive data only authorized users . – Educate users risks related unsolicited suspicious emails attachments . – Perform regular backups important data store them offline secure location . – Monitor anomalies suspicious activities networks report any potential incident . For more information snake how protect yourself it , you can consult joint warning issued by intelligence cybersecurity agencies [ ^2 ^ ] threat analysis report published by Cybereason [ ^1 ^ ] . ## How can you remove snake from your system? To remove snake from your system , you should follow some steps : – Disconnect your system from network prevent further communication with snake infrastructure . – Scan your system with updated antivirus antimalware tools detect remove any traces snake components . – Restore your system previous clean state using backups restore points . – Change passwords any accounts may have been compromised snake . – Report incident relevant authorities seek professional help needed . Alternatively , you can use tool developed FBI called Perseus force snake self-destruct your system . This tool was used operation Medusa neutralize network snake United States May 2023 [ ^3 ^ ] . ## What are consequences data theft by snake? The consequences data theft by snake can be serious both individuals organizations . Depending type data stolen , snake can : – Compromise privacy security victims exposing their personal professional information . – Cause financial losses damages victims stealing their credentials accessing their accounts . – Disrupt operations services victims affecting their availability integrity . – Undermine reputation trustworthiness victims damaging their image credibility . – Endanger national security interests victims revealing their secrets strategies . For example , snake was used FSB access exfiltrate sensitive international relations documents , well other diplomatic communications , victim NATO country [ ^2 ^ ] . This could have serious implications foreign policy security alliance . ## What is impact snake malware businesses ? The impact snake malware businesses can be significant depending type sector industry they belong . Businesses targeted snake may face : – Loss competitive advantage innovation stealing their intellectual property trade secrets . – Loss market share customers stealing their business plans customer data . – Loss revenue profit stealing their financial information disrupting their operations . – Loss reputation trust stealing their confidential information damaging their brand image . – Legal regulatory compliance issues stealing their sensitive information violating their obligations . For example , snake was used FSB victimize industries including education , small businesses media organizations United States [ ^2 ^ ] . These industries may have suffered economic social
usechatgpt init success
usechatgpt init success
usechatgpt init success
usechatgpt init success
usechatgpt init success
usechatgpt init success
