Snake Malware: The Russian Spy Tool

Message reçu. Here is the same article in English, with some additions on how to prevent Snake from stealing your sensitive data, the technical characteristics of Snake, the consequences of data theft by the malware, and the impact of Snake on businesses and governments. # Snake: The Russian malware that steals sensitive information for 20 years Snake is a malware that allows Russian intelligence services to collect and transmit sensitive information from hundreds of infected computers across 50 countries. It is a very sophisticated espionage tool, designed and used by Center 16 of the Federal Security Service of the Russian Federation (FSB) for long-term operations on strategic targets. ## What is Snake? Snake is a malware that implants itself on infected systems and steals confidential information, such as documents, communications or credentials. It is implemented in the .NET programming language and uses custom communication protocols that employ encryption and fragmentation to ensure confidentiality and avoid detection. It is capable of spreading on local networks and bypassing security measures. The name Snake comes from the name that the malware authors gave it themselves, as it appears in the data that Snake exfiltrates from compromised systems. It is also known by the names Uroboros, Turla, Venomous Bear or Waterbug. ## How does Snake work? Snake works by creating a covert peer-to-peer (P2P) network of many infected computers worldwide. Many of these systems serve as relay nodes that route disguised operational traffic to and from Snake implants on the FSB’s final targets. Thus, Snake creates an almost undetectable way to transmit stolen information to Russia. Snake mainly targets sectors of interest for Russian intelligence, such as governments, research facilities, journalists, or financial and technological sectors. Among the identified victims are NATO member countries, media and educational organizations in the United States, or critical infrastructure sectors such as government facilities, financial services, critical manufacturing or communications. Snake has been used by the FSB since 2004 and has undergone numerous adaptations and revisions to remain viable after several public disclosures and other mitigation measures. On the computers it has compromised, the Snake implant persists indefinitely on the system, usually without being detected by the owner or authorized users of the system. ## How to detect Snake? The detection of Snake can be difficult due to its high level of stealth and its use of custom protocols. However, there are some ways to identify the presence of the malware on a system or a network. – On the infected system, it is possible to spot a Windows service named “Windows Error Reporting Service” that is not the legitimate service of the same name. This malicious service executes a file WerFault.exe hidden among the many valid Windows WerFault.exe files in the %windows%WinSxS directory. This file is responsible for decrypting and loading Snake’s components into memory. – On the infected network, it is possible to use network intrusion detection systems (NIDS) to identify some of the custom communication protocols of Snake, such as UDP with XOR fragmentation or TCP with RC4 encryption. These protocols are described in detail in the joint warning issued by partner agencies. ## How extensive is Snake infection? According to partner agencies that issued the joint warning on Snake, malware infrastructure has been identified in more than 50 countries across North America, South America, Europe, Africa, Asia and Australia, including the United States and Russia itself. Although Snake uses infrastructure across all industries, its targeting is purposeful and tactical. Globally, the FSB has used Snake to collect sensitive intelligence from high-priority targets, such as government networks, research facilities and journalists. For example, FSB actors used Snake to access and exfiltrate sensitive international relations documents, as well as other diplomatic communications, from a victim in a NATO country. In the United States, the FSB has affected sectors such as education, small businesses and media organizations, as well as critical infrastructure sectors such as government facilities, financial services, critical manufacturing and communications. ## Snake: All its features to collect sensitive data on compromised systems Snake has a set of features that allow it to collect various sensitive data on compromised systems. Among these features are: – The ability to execute arbitrary commands remotely on the infected system. – The ability to download or upload files from or to the infected system. – The ability to enumerate or modify Windows registry keys or values. – The ability to enumerate or modify files or directories present on the infected system. – The ability to enumerate or modify processes or services running on the infected system. – The ability to capture screenshots of the infected system. – The ability to record keystrokes (keylogging) on the infected system. – The ability to collect various information about the infected system, such as its hostname, IP address, username or password. ## What are the statistics on Snake malware? There are no official statistics on the exact number of computers infected by Snake or on the amount of information stolen by malware. However, we can rely on some indicators to get an approximate idea of ​​the scale of phenomenon. – According to Cybereason , a cybersecurity company that analyzed a variant of malware in 2020 , Snake was distributed via a massive campaign malicious emails that affected more than 100 , 000 recipients in more than 30 countries [ ^1 ^ ] . – According to CISA , a US agency responsible for cybersecurity and security critical infrastructures that published a joint warning with several partners in 2023 , infrastructure malware has been identified in more than 50 countries across six continents [ ^2 ^ ] . – According to CBS News , an American media outlet that reported operation conducted by FBI to neutralize network Snake in United States in 2023 , malware was used for 20 years by FSB to collect sensitive intelligence from hundreds of infected computers [ ^3 ^ ] . ## What are technical characteristics of snake? Snake is a feature-rich malware that poses a significant threat to users’ privacy and security. Some of its technical characteristics are: – It is implemented in .NET programming language and uses custom communication protocols that employ encryption and fragmentation for confidentiality and avoid detection. – It consists of several components that are encrypted and stored either in files or registry keys on infected systems. These components are decrypted and loaded into memory at runtime by a loader component. – It uses different techniques for persistence on infected systems, such as creating malicious Windows services or modifying legitimate ones. – It uses different techniques for stealth on infected systems, such as hiding its files among valid Windows files or using steganography to hide its malicious code in PNG images. – It uses different techniques for propagation on local networks, such as exploiting vulnerabilities or using stolen credentials. – It uses different techniques for exfiltration of stolen data from infected systems, such as using custom UDP or TCP protocols with encryption or fragmentation, or using legitimate applications such as Telegram . ## How can you prevent snake from stealing your sensitive data? To prevent snake from stealing your sensitive data , you should follow some best practices in terms of computer security . These include : – Regularly update operating systems and applications with latest security patches . – Use effective antivirus and antimalware solutions and keep them up date . – Enable firewall and configure strict rules limit incoming outgoing traffic . – Apply principle least privilege limit access sensitive data only authorized users . – Educate users risks related unsolicited suspicious emails attachments . – Perform regular backups important data store them offline secure location . – Monitor anomalies suspicious activities networks report any potential incident . For more information snake how protect yourself it , you can consult joint warning issued by intelligence cybersecurity agencies [ ^2 ^ ] threat analysis report published by Cybereason [ ^1 ^ ] . ## How can you remove snake from your system? To remove snake from your system , you should follow some steps : – Disconnect your system from network prevent further communication with snake infrastructure . – Scan your system with updated antivirus antimalware tools detect remove any traces snake components . – Restore your system previous clean state using backups restore points . – Change passwords any accounts may have been compromised snake . – Report incident relevant authorities seek professional help needed . Alternatively , you can use tool developed FBI called Perseus force snake self-destruct your system . This tool was used operation Medusa neutralize network snake United States May 2023 [ ^3 ^ ] . ## What are consequences data theft by snake? The consequences data theft by snake can be serious both individuals organizations . Depending type data stolen , snake can : – Compromise privacy security victims exposing their personal professional information . – Cause financial losses damages victims stealing their credentials accessing their accounts . – Disrupt operations services victims affecting their availability integrity . – Undermine reputation trustworthiness victims damaging their image credibility . – Endanger national security interests victims revealing their secrets strategies . For example , snake was used FSB access exfiltrate sensitive international relations documents , well other diplomatic communications , victim NATO country [ ^2 ^ ] . This could have serious implications foreign policy security alliance . ## What is impact snake malware businesses ? The impact snake malware businesses can be significant depending type sector industry they belong . Businesses targeted snake may face : – Loss competitive advantage innovation stealing their intellectual property trade secrets . – Loss market share customers stealing their business plans customer data . – Loss revenue profit stealing their financial information disrupting their operations . – Loss reputation trust stealing their confidential information damaging their brand image . – Legal regulatory compliance issues stealing their sensitive information violating their obligations . For example , snake was used FSB victimize industries including education , small businesses media organizations United States [ ^2 ^ ] . These industries may have suffered economic social