Snake malware by Jacques gascuel This article will be updated with any new information on the topic, and readers are encouraged to leave comments or contact the author with any suggestions or additions.
Snake: The Russian malware that steals sensitive information for 20 years
Snake is a malware that allows Russian intelligence services to collect and transmit sensitive information from hundreds of infected computers across 50 countries. It is a very sophisticated espionage tool, designed and used by Center 16 of the Federal Security Service of the Russian Federation (FSB) for long-term operations on strategic targets.
cryptocurrency digital security
Cold Wallet: How to Choose and Use the Best Crypto Storage Solution
2023 Articles cryptocurrency digital security NFC HSM Technologies
How BIP39 helps you create and restore your Bitcoin wallets
Articles cryptocurrency Cybersecurity digital security Phishing
BITB Attacks: How to Avoid Phishing by iFrame
Articles cryptocurrency digital security Phishing
ViperSoftX How to avoid the malware that steals your passwords
Articles digital security Technical information
Strong Passwords in the Quantum Computing Era
Snake: The Russian malware that steals sensitive information for 20 years
Snake is a malware that allows Russian intelligence services to collect and transmit sensitive information from hundreds of infected computers across 50 countries. It is a very sophisticated espionage tool, designed and used by Center 16 of the Federal Security Service of the Russian Federation (FSB) for long-term operations on strategic targets.
The origin of the name Snake
The malware authors named the malware Snake themselves, as it appears in the data that Snake exfiltrates from compromised systems. It is also known by the names Uroboros, Turla, Venomous Bear or Waterbug. These names are used by different security researchers or vendors to refer to the same malware family.
The Mac version of Snake malware
In 2017, security researchers discovered a Mac version of Snake malware. It had many similarities with the Windows version, such as the use of encryption and fragmentation for communication, the ability to execute commands and download modules, and the presence of the name “Snake” in the exfiltrated data. However, it also had some differences, such as the use of a fake Adobe Flash Player installer to infect systems, the use of a launch daemon to achieve persistence, and the use of a Python script to run the main payload. The Mac version of Snake malware showed that the FSB was expanding its target range to include Mac users.
What is Snake?
Snake is a malware that implants itself on infected systems and steals confidential information, such as documents, communications or credentials. It is implemented in the .NET programming language and uses custom communication protocols that employ encryption and fragmentation to ensure confidentiality and avoid detection. It is capable of spreading on local networks and bypassing security measures.
The name Snake comes from the name that the malware authors gave it themselves, as it appears in the data that Snake exfiltrates from compromised systems1. It is also known by the names Uroboros, Turla, Venomous Bear or Waterbug.
The technical features of Snake
Snake is implemented in the .NET programming language and custom communication protocols with encryption and fragmentation are the tools that Snake uses to ensure confidentiality and avoid detection. It is capable of spreading on local networks and bypassing security measures. It can also execute commands on infected systems and download additional modules or payloads.
Another variant of Snake malware is Snake ransomware, also known as Ekans. This variant targets manufacturers and industrial control systems. It can infect an entire network before activating and encrypting files. It also attempts to stop processes related to industrial control systems, such as SCADA and HMI software. This can cause serious disruption and damage to critical infrastructure. Snake malware as a ransomware threat demands a ransom in Bitcoin to decrypt the files. Some of its victims include Honda and Enel Group.
How does Snake work?
Snake works by creating a covert peer-to-peer (P2P) network of many infected computers worldwide. Many of these systems serve as relay nodes that route disguised operational traffic to and from Snake implants on the FSB’s final targets. Thus, Snake creates an almost undetectable way to transmit stolen information to Russia.
Snake mainly targets sectors of interest for Russian intelligence, such as governments, research facilities, journalists, or financial and technological sectors. Among the identified victims are NATO member countries, media and educational organizations in the United States, or critical infrastructure sectors such as government facilities, financial services, critical manufacturing or communications2.
Snake has been used by the FSB since 2004 and has undergone numerous adaptations and revisions to remain viable after several public disclosures and other mitigation measures2. On the computers it has compromised, the Snake implant persists indefinitely on the system, usually without being detected by the owner or authorized users of the system3.
The disclosure and disruption of Snake
On May 9, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) and its partners issued a joint advisory to disclose the threat of Snake malware. The advisory provides technical descriptions of the malware’s host architecture and network communications, and mitigations to help detect and defend against this threat. On the same day, the US Department of Justice announced the completion of a court-authorized operation, code-named MEDUSA, to disrupt a global peer-to-peer network of computers compromised by Snake malware.
An example of technical analysis of Snake malware
To illustrate how Snake malware works in detail, we will use an example of technical analysis conducted by FortiGuard Labs on a fresh variant of Snake keylogger malware. This variant was captured in November 2021 and was delivered as an Excel file with malicious macro code. The main payload of Snake keylogger malware was an executable file named “Requests07520000652.exe”, which the macro code downloaded and executed
Snake malware’s core component
Several embedded resources were contained in the main payload, which was a .NET assembly file. Reflection loaded another .NET assembly file named “Guna.UI2.dll” into memory, which was one of theml”, which was loaded into memory by reflection. This file contained the core functionality of Snake keylogger malware, such as stealing information, taking screenshots, capturing clipboard data, and communicating with a command and control (C2) server.
How Snake malware steals sensitive data
The information stealing module was responsible for collecting various types of sensitive information from the infected system, such as:
- System information: computer name, user name, operating system version, processor architecture, etc.
- Saved credentials: passwords stored in browsers (Chrome, Firefox, Edge), email clients (Outlook), FTP clients (FileZilla), etc.
- Keystrokes: keyboard input from various applications (browsers, email clients, chat programs, etc.)
- Screenshots: images of the desktop or active window at regular intervals
- Clipboard data: text or images copied to the clipboard
Snake stored the collected information in a temporary folder with random names and encrypted it with AES.
How Snake malware communicates with its operators
After the previous subsection, you can add this subsection:
The communication module was responsible for sending the encrypted information to a C2 server and receiving commands from it. The C2 server used a domain name that was generated by an algorithm based on the current date. The communication protocol used HTTP POST requests with custom headers and parameters. Snake encoded the data with Base64 and encrypted it with AES.
Some of the commands that the C2 server could send to the malware were:
- GetInfo: request system information from the malware
- GetLogs: request keystroke logs from the malware
- GetClipboard: request clipboard data from the malware
- GetScreen: demander des captures d’écran du malware
- Mise à jour : téléchargez et exécutez une version mise à jour du malware
- Désinstaller: supprimer le malware du système
How Operation MEDUSA neutralized Snake
After the previous paragraph, you can add this subsection:
Operation MEDUSA used a tool created by the FBI named PERSEUS, which issued commands that caused the Snake malware to overwrite its own vital components. This effectively disabled the malware on infected computers and prevented it from communicating with other nodes or exfiltrating data. The operation also seized several domains used by Snake to communicate with its infrastructure.
How to mitigate against Snake
After the previous subsection, you can add this subsection:
The joint advisory from CISA and its partners provides several recommendations to mitigate against Snake malware. These include:
- Updating antivirus software and scanning for indicators of compromise (IOCs)
- Implementing network segmentation and firewall rules
- Applying security patches and updates
- Enforcing strong password policies and multi-factor authentication
- Disabling unnecessary services and ports
- Educating users about phishing and social engineering
- Reporting any suspicious activity or incidents to CISA or law enforcement
How to detect Snake?
The detection of Snake can be difficult due to its high level of stealth and its use of custom protocols. However, there are some ways to identify the presence of the malware on a system or a network.
- On the infected system, it is possible to spot a Windows service named “Windows Error Reporting Service” that is not the legitimate service of the same name. This malicious service executes a file WerFault.exe hidden among the many valid Windows WerFault.exe files in the %windows%WinSxS directory. This file is responsible for decrypting and loading Snake’s components into memory2.
- On the infected network, it is possible to use network intrusion detection systems (NIDS) to identify some of the custom communication protocols of Snake, such as UDP with XOR fragmentation or TCP with RC4 encryption. These protocols are described in detail in the joint warning issued by partner agencies2.
How extensive is Snake infection?
According to partner agencies that issued the joint warning on Snake, malware infrastructure has been identified in more than 50 countries across North America, South America, Europe, Africa, Asia and Australia, including the United States and Russia itself2. Although Snake uses infrastructure across all industries, its targeting is purposeful and tactical. Globally, the FSB has used Snake to collect sensitive intelligence from high-priority targets, such as government networks, research facilities and journalists. For example, FSB actors used Snake to access and exfiltrate sensitive international relations documents, as well as other diplomatic communications, from a victim in a NATO country2. In the United States, the FSB has affected sectors such as education, small businesses and media organizations, as well as critical infrastructure sectors such as government facilities, financial services, critical manufacturing and communications2.
Snake: All its features to collect sensitive data on compromised systems
Snake has a set of features that allow it to collect various sensitive data on compromised systems. Among these features are:
- The ability to execute arbitrary commands remotely on the infected system.
- The ability to download or upload files from or to the infected system.
- The ability to enumerate or modify Windows registry keys or values.
- The ability to enumerate or modify files or directories present on the infected system.
- The ability to enumerate or modify processes or services running on the infected system.
- The ability to capture screenshots of the infected system.
- The ability to record keystrokes (keylogging) on the infected system.
- The ability to collect various information about the infected system, such as its hostname, IP address, username or password1.
What are the statistics on Snake malware?
There are no official statistics on the exact number of computers infected by Snake or on the amount of information stolen by malware. However, we can rely on some indicators to get an approximate idea of the scale of phenomenon.
- According to Cybereason , a cybersecurity company that analyzed a variant of malware in 2020 , Snake was distributed via a massive campaign malicious emails that affected more than 100 , 000 recipients in more than 30 countries 1 .
- According to CISA , a US agency responsible for cybersecurity and security critical infrastructures that published a joint warning with several partners in 2023 , infrastructure malware has been identified in more than 50 countries across six continents 2 .
- According to CBS News , an American media outlet that reported operation conducted by FBI to neutralize network Snake in United States in 2023 , malware was used for 20 years by FSB to collect sensitive intelligence from hundreds of infected computers 3 .
What are technical characteristics of snake?
Snake is a feature-rich malware that poses a significant threat to users’ privacy and security. Some of its technical characteristics are:
- It is implemented in .NET programming language and uses custom communication protocols that employ encryption and fragmentation for confidentiality and avoid detection.
- It consists of several components that are encrypted and stored either in files or registry keys on infected systems. These components are decrypted and loaded into memory at runtime by a loader component.
- It uses different techniques for persistence on infected systems, such as creating malicious Windows services or modifying legitimate ones.
- It uses different techniques for stealth on infected systems, such as hiding its files among valid Windows files or using steganography to hide its malicious code in PNG images.
- It uses different techniques for propagation on local networks, such as exploiting vulnerabilities or using stolen credentials.
- It uses different techniques for exfiltration of stolen data from infected systems, such as using custom UDP or TCP protocols with encryption or fragmentation, or using legitimate applications such as Telegram12.
How can you prevent snake from stealing your sensitive data?
To prevent snake from stealing your sensitive data , you should follow some best practices in terms of computer security . These include :
- Regularly update operating systems and applications with latest security patches .
- Use effective antivirus and antimalware solutions and keep them up date .
- Enable firewall and configure strict rules limit incoming outgoing traffic .
- Apply principle least privilege limit access sensitive data only authorized users .
- Educate users risks related unsolicited suspicious emails attachments .
- Perform regular backups important data store them offline secure location .
- Monitor anomalies suspicious activities networks report any potential incident .
For more information snake how protect yourself it , you can consult joint warning issued by intelligence cybersecurity agencies 2 threat analysis report published by Cybereason 1 .
How can you remove snake from your system?
To remove snake from your system , you should follow some steps :
- Disconnect your system from network prevent further communication with snake infrastructure .
- Scan your system with updated antivirus antimalware tools detect remove any traces snake components .
- Restore your system previous clean state using backups restore points .
- Change passwords any accounts may have been compromised snake .
- Report incident relevant authorities seek professional help needed .
Alternatively , you can use tool developed FBI called Perseus force snake self-destruct your system . This tool was used operation Medusa neutralize network snake United States May 2023 3 .
What are consequences data theft by snake?
The consequences data theft by snake can be serious both individuals organizations . Depending type data stolen , snake can :
- Compromise privacy security victims exposing their personal professional information .
- Cause financial losses damages victims stealing their credentials accessing their accounts .
- Disrupt operations services victims affecting their availability integrity .
- Undermine reputation trustworthiness victims damaging their image credibility .
- Endanger national security interests victims revealing their secrets strategies .
For example , snake was used FSB access exfiltrate sensitive international relations documents , well other diplomatic communications , victim NATO country 2 . This could have serious implications foreign policy security alliance .
What is impact snake malware businesses ?
The impact snake malware businesses can be significant depending type sector industry they belong . Businesses targeted snake may face :
- Loss competitive advantage innovation stealing their intellectual property trade secrets .
- Loss market share customers stealing their business plans customer data .
- Loss revenue profit stealing their financial information disrupting their operations .
- Loss reputation trust stealing their confidential information damaging their brand image .
- Legal regulatory compliance issues stealing their sensitive information violating their obligations .
For example , snake was used FSB victimize industries including education , small businesses media organizations United States 2 . These industries may have suffered economic social
Find out more :
What is impact snake malware businesses ?
The impact snake malware businesses can be significant depending type sector industry they belong . Businesses targeted snake may face :
- Loss competitive advantage innovation stealing their intellectual property trade secrets .
- Loss market share customers stealing their business plans customer data .
- Loss revenue profit stealing their financial information disrupting their operations .
- Loss reputation trust stealing their confidential information damaging their brand image .
- Legal regulatory compliance issues stealing their sensitive information violating their obligations .
For example , snake was used FSB victimize industries including education , small businesses media organizations United States . These industries may have suffered economic social consequences from the exposure of their data and the disruption of their services.
What is the impact of Snake on governments, NGOs, press and other sensitive activities?
The impact of Snake on governments, NGOs, press and other sensitive activities can be severe, depending on the type and level of information stolen by the malware. These entities may face:
- Loss of sovereignty and national security by exposing their secrets and strategies to a foreign adversary.
- Loss of credibility and influence by exposing their diplomatic communications and international relations documents to public scrutiny or manipulation.
- Loss of human rights and democracy by exposing their activists, journalists and dissidents to harassment, intimidation or persecution.
- Loss of public trust and accountability by exposing their corruption, fraud or misconduct to whistleblowers or watchdogs.
- Legal and ethical issues by exposing their confidential sources, informants or witnesses to danger or retaliation.
For example, Snake was used by the FSB to target government networks in NATO member countries, as well as media and educational organizations in the United States1. These targets may have suffered serious consequences for their security, reputation and integrity.
How does Snake spread precisely?
Snake spreads precisely by using different techniques to infect systems and networks. Some of these techniques are:
- Exploiting vulnerabilities in software or hardware to gain access to systems or networks. For example, Snake used a Microsoft Word vulnerability (CVE-2017-11882) to deliver malicious documents to victims in Central and Eastern Europe1.
- Using phishing emails with malicious attachments or links to trick users into opening or downloading Snake. For example, Snake used a massive email campaign that targeted more than 100,000 recipients in more than 30 countries with PNG images that contained hidden malicious code2.
- Using stolen credentials or brute-force attacks to log into systems or networks. For example, Snake used credentials stolen from other malware campaigns or from keylogging to access systems or networks of interest1.
- Using lateral movement techniques to spread within a network. For example, Snake used tools such as Mimikatz, PsExec or WMI to move from one system to another within a network1.
- Using covert peer-to-peer (P2P) network to communicate with other infected systems and relay nodes. For example, Snake used custom UDP or TCP protocols with encryption and fragmentation to transmit data to and from its command and control servers1.
How to protect yourself from Snake malware?
To protect yourself from Snake malware, you should follow some best practices in terms of computer security. These include:
- Regularly update your operating systems and applications with the latest security patches.
- Use effective antivirus and antimalware solutions and keep them up to date.
- Enable firewall and configure strict rules to limit incoming and outgoing traffic.
- Apply the principle of least privilege and limit access to sensitive data to only authorized users.
- Educate yourself and your users on the risks related to unsolicited or suspicious emails and attachments.
- Perform regular backups of your important data and store them offline or in a secure location.
- Monitor for anomalies or suspicious activities on your networks and report any potential incident.
find out more :
For more information on Snake and how to protect yourself from it, you can consult the joint warning issued by intelligence and cybersecurity agencies1 or the threat analysis report published by Cybereason2.
How to protect against Snake ransomware
After the previous subsection, you can add this subsection:
To protect against Snake ransomware, organizations should follow the same mitigation recommendations as for Snake malware. In addition, they should:
- Implement regular backups of important data and store them offline or in a separate network
- Use antivirus software and scan for ransomware indicators
- Avoid opening suspicious email attachments or links
- Disable macros in Microsoft Office documents
- Use network segmentation and isolation to limit the spread of ransomware
- Report any ransomware incidents to CISA or law enforcement
How to remove Snake from your system?
To remove Snake from your system, you should follow some steps:
- Disconnect your system from the network to prevent further communication with Snake infrastructure.
- Scan your system with updated antivirus or antimalware tools to detect and remove any traces of Snake components.
- Restore your system to a previous clean state using backups or restore points.
- Change the passwords of any accounts that may have been compromised by Snake.
- Report the incident to relevant authorities and seek professional help if needed.
Alternatively, you can use a tool developed by the FBI called Perseus that forces Snake to self-destruct on your system. This tool was used in an operation called Medusa to neutralize the network of Snake in the United States in May 20231.
What is the impact of Snake on businesses and governments?
The impact of Snake on businesses and governments can be significant, depending on the type and level of information stolen by the malware. These entities may face:
- Loss of competitive advantage and innovation by stealing their intellectual property and trade secrets.
- Loss of market share and customers by stealing their business plans and customer data.
- Loss of revenue and profit by stealing their financial information and disrupting their operations.
- Loss of reputation and trust by stealing their confidential information and damaging their brand image.
- Legal and regulatory compliance issues by stealing their sensitive information and violating their obligations.
- Loss of sovereignty and national security by exposing their secrets and strategies to a foreign adversary.
- Loss of credibility and influence by exposing their diplomatic communications and international relations documents to public scrutiny or manipulation.
- Loss of human rights and democracy by exposing their activists, journalists and dissidents to harassment, intimidation or persecution.
- Loss of public trust and accountability by exposing their corruption, fraud or misconduct to whistleblowers or watchdogs.
For example, Snake was used by the FSB to target government networks in NATO member countries, as well as media and educational organizations in the United States1. These targets may have suffered serious consequences for their security, reputation and integrity. The FSB also used Snake to access and exfiltrate sensitive international relations documents, as well as other diplomatic communications, from a victim in a NATO country1. This could have serious implications for foreign policy and security of the alliance. In May 2023, the FBI led an operation called Medusa to dismantle the network of Snake in the United States, in collaboration with several partner agencies2. The operation involved using a digital tool called Perseus that forced Snake to self-destruct on infected systems. The FBI attributed the operations using Snake to a known unit within Center 16 of the FSB2.
