Snake malware: The Russian that steals sensitive information for 20 years

Snake Malware: The Russian Spy Tool

Snake malware by Jacques gascuel This article will be updated with any new information on the topic, and readers are encouraged to leave comments or contact the author with any suggestions or additions.  

Snake: The Russian malware that steals sensitive information for 20 years

Snake is a malware that allows Russian intelligence services to collect and transmit sensitive information from hundreds of infected computers across 50 countries. It is a very sophisticated espionage tool, designed and used by Center 16 of the Federal Security Service of the Russian Federation (FSB) for long-term operations on strategic targets.

cryptocurrency digital security

Cold Wallet: How to Choose and Use the Best Crypto Storage Solution

Articles digital security

Protect Meta Account Identity Theft with EviPass and EviOTP

2023 Articles cryptocurrency digital security NFC HSM Technologies

How BIP39 helps you create and restore your Bitcoin wallets

Articles cryptocurrency Cybersecurity digital security Phishing

BITB Attacks: How to Avoid Phishing by iFrame

Articles digital security Phishing

Snake Malware: The Russian Spy Tool

Articles cryptocurrency digital security Phishing

ViperSoftX How to avoid the malware that steals your passwords

Articles digital security

What is Juice Jacking and How to Avoid It?

Articles digital security Technical information

Strong Passwords in the Quantum Computing Era

An example of technical analysis of Snake malware

To illustrate how Snake malware works in detail, we will use an example of technical analysis conducted by FortiGuard Labs on a fresh variant of Snake keylogger malware. This variant was captured in November 2021 and was delivered as an Excel file with malicious macro code. The main payload of Snake keylogger malware was an executable file named “Requests07520000652.exe”, which the macro code downloaded and executed

Snake malware’s core component

Several embedded resources were contained in the main payload, which was a .NET assembly file. Reflection loaded another .NET assembly file named “Guna.UI2.dll” into memory, which was one of theml”, which was loaded into memory by reflection. This file contained the core functionality of Snake keylogger malware, such as stealing information, taking screenshots, capturing clipboard data, and communicating with a command and control (C2) server.

How Snake malware steals sensitive data

The information stealing module was responsible for collecting various types of sensitive information from the infected system, such as:

  • System information: computer name, user name, operating system version, processor architecture, etc.
  • Saved credentials: passwords stored in browsers (Chrome, Firefox, Edge), email clients (Outlook), FTP clients (FileZilla), etc.
  • Keystrokes: keyboard input from various applications (browsers, email clients, chat programs, etc.)
  • Screenshots: images of the desktop or active window at regular intervals
  • Clipboard data: text or images copied to the clipboard

Snake stored the collected information in a temporary folder with random names and encrypted it with AES.

How Snake malware communicates with its operators

After the previous subsection, you can add this subsection:

The communication module was responsible for sending the encrypted information to a C2 server and receiving commands from it. The C2 server used a domain name that was generated by an algorithm based on the current date. The communication protocol used HTTP POST requests with custom headers and parameters. Snake encoded the data with Base64 and encrypted it with AES.

Some of the commands that the C2 server could send to the malware were:

  • GetInfo: request system information from the malware
  • GetLogs: request keystroke logs from the malware
  • GetClipboard: request clipboard data from the malware
  • GetScreen: demander des captures d’écran du malware
  • Mise à jour : téléchargez et exécutez une version mise à jour du malware
  • Désinstaller: supprimer le malware du système

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.