Snake malware: The Russian that steals sensitive information for 20 years

Snake Malware: The Russian Spy Tool

Snake malware by Jacques gascuel This article will be updated with any new information on the topic, and readers are encouraged to leave comments or contact the author with any suggestions or additions.  

Snake: The Russian malware that steals sensitive information for 20 years

Snake is a malware that allows Russian intelligence services to collect and transmit sensitive information from hundreds of infected computers across 50 countries. It is a very sophisticated espionage tool, designed and used by Center 16 of the Federal Security Service of the Russian Federation (FSB) for long-term operations on strategic targets.

Articles Digital Security EviCore NFC HSM EviPass NFC HSM NFC HSM

TETRA Security Vulnerabilities: How to Protect Critical Infrastructures

2023 Articles DataShielder Digital Security EviCore NFC HSM EviCypher EviCypher Technology NFC HSM

FormBook Malware: How to Protect Your Gmail and Other Data

Articles Compagny spying DataShielder Digital Security Industrial spying Military spying NFC HSM Spying Technical information Zero trust

Are fingerprint systems really secure? How to protect your data and identity against BrutePrint

Articles Cybersecurity Digital Security Spying

Predator Files: The Spyware Scandal That Shook the World

2023 Articles DataShielder Digital Security Military spying News NFC HSM Spying

Pegasus: The cost of spying with one of the most powerful spyware in the world

Articles Digital Security

WhatsApp Hacking: Prevention and Solutions

Articles Digital Security

Chinese hackers Cisco routers: how to protect yourself?

Articles Digital Security NFC HSM Technical information

RSA Encryption: How the Marvin Attack Exposes a 25-Year-Old Flaw

An example of technical analysis of Snake malware

To illustrate how Snake malware works in detail, we will use an example of technical analysis conducted by FortiGuard Labs on a fresh variant of Snake keylogger malware. This variant was captured in November 2021 and was delivered as an Excel file with malicious macro code. The main payload of Snake keylogger malware was an executable file named “Requests07520000652.exe”, which the macro code downloaded and executed

Snake malware’s core component

Several embedded resources were contained in the main payload, which was a .NET assembly file. Reflection loaded another .NET assembly file named “Guna.UI2.dll” into memory, which was one of theml”, which was loaded into memory by reflection. This file contained the core functionality of Snake keylogger malware, such as stealing information, taking screenshots, capturing clipboard data, and communicating with a command and control (C2) server.

How Snake malware steals sensitive data

The information stealing module was responsible for collecting various types of sensitive information from the infected system, such as:

  • System information: computer name, user name, operating system version, processor architecture, etc.
  • Saved credentials: passwords stored in browsers (Chrome, Firefox, Edge), email clients (Outlook), FTP clients (FileZilla), etc.
  • Keystrokes: keyboard input from various applications (browsers, email clients, chat programs, etc.)
  • Screenshots: images of the desktop or active window at regular intervals
  • Clipboard data: text or images copied to the clipboard

Snake stored the collected information in a temporary folder with random names and encrypted it with AES.

How Snake malware communicates with its operators

After the previous subsection, you can add this subsection:

The communication module was responsible for sending the encrypted information to a C2 server and receiving commands from it. The C2 server used a domain name that was generated by an algorithm based on the current date. The communication protocol used HTTP POST requests with custom headers and parameters. Snake encoded the data with Base64 and encrypted it with AES.

Some of the commands that the C2 server could send to the malware were:

  • GetInfo: request system information from the malware
  • GetLogs: request keystroke logs from the malware
  • GetClipboard: request clipboard data from the malware
  • GetScreen: demander des captures d’écran du malware
  • Mise à jour : téléchargez et exécutez une version mise à jour du malware
  • Désinstaller: supprimer le malware du système

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.