Privacy policy

Our website uses cookies to give you the most optimal experience online by: measuring our audience, understanding how our webpages are viewed and improving consequently the way our website works, providing you with relevant and personalized marketing content.
You have full control over what you want to activate. You can accept the cookies by clicking on the “Accept all cookies” button or customize your choices by selecting the cookies you want to activate. You can also decline all non-necessary cookies by clicking on the “Decline all cookies” button. Please find more information on our use of cookies and how to withdraw at any time your consent on our privacy policy.

Managing your cookies

Our website uses cookies. You have full control over what you want to activate. You can accept the cookies by clicking on the “Accept all cookies” button or customize your choices by selecting the cookies you want to activate. You can also decline all non-necessary cookies by clicking on the “Decline all cookies” button.

Necessary cookies

These are essential for the user navigation and allow to give access to certain functionalities such as secured zones accesses. Without these cookies, it won’t be possible to provide the service.
Matomo on premise

Marketing cookies

These cookies are used to deliver advertisements more relevant for you, limit the number of times you see an advertisement; help measure the effectiveness of the advertising campaign; and understand people’s behavior after they view an advertisement.
Adobe Privacy policy | Marketo Privacy Policy | MRP Privacy Policy | AccountInsight Privacy Policy | Triblio Privacy Policy

Social media cookies

These cookies are used to measure the effectiveness of social media campaigns.
LinkedIn Policy

Our website uses cookies to give you the most optimal experience online by: measuring our audience, understanding how our webpages are viewed and improving consequently the way our website works, providing you with relevant and personalized marketing content. You can also decline all non-necessary cookies by clicking on the “Decline all cookies” button. Please find more information on our use of cookies and how to withdraw at any time your consent on our privacy policy.

Skip to main content

Snake Malware

Taken down by the FBI after 20 years of existence

 

Key Takeaways

  • In a coordinated operation FBI with other organizations took down the Snake malware operational infrastructure.
  • Snake malware has been linked with the Russian Center 16 of FSB and being used for almost 20 years.
  • It has been used in various targeted operations to collect and extract valuable data and information from government and NATO organizations.

Introduction

Snake is a malware that was originally developed by the FSB (Federal Security Service of the Russian Federation) in late 2003 under the name “Uroburos”. The development ends in early 2004 and moments later it starts conducting cyber operations.

Snake has been one of the major tools used by Center 16 of the FSB. It has been in use for almost 20 years and FSB conducted a vast amount of operations with it. Snake is also a part of the Turla family toolset which is used by Russia.

Its usage has been detected in 50 countries around the globe since being in operational use. Countries targeted are from both North and South America, Europe, Africa, Asia, and Australia. Snake operators do not target specific industries but it is worth mentioning that the targets are selected purposefully. It has been used to collect data from government networks, research facilities, and journalists, as well as from diplomatic communication in NATO countries.

On 8th May 2023, the FBI in a coordinated operation with other cybersecurity and intelligence agencies took down the infrastructure used by the Snake malware. The operation codename was MEDUSA.

Technical Details

jpinst.exe and jpsetup.exe are examples of Snake installer names and the installer is packed with customized methods. The unpacked code is obfuscated with legitimate open-source code for JPEG viewer. After unpacking the code it extracts an executable file. This file then extracts the encrypted AES blob from the executable. After decrypting the blob, many components are extracted from it. In extracted files are also other executables used by Snake malware. The encrypted blob can be found at HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds.

To avoid detection Snake uses an unusual level of stealth. It uses its kernel module to erase its components from any list available in the Windows machine. Also, it uses concealed storage mechanism (which is encrypted) to avoid detection. This makes it very difficult to detect Snake even when external searching tools are used.

Snake maintains its persistence in the system by registering a service. It usually is named WerFaultSvc and mimics the legitimate Windows service WerSvc. When the service is registered it launches WerFault.exe on system boot allowing Snake to persist after shutdown. Snake exe is hidden in %windows%\WinSxS\ directory among other legitimate Windows executables. WerFault.exe will decrypt the encrypted blob which is in the previously mentioned registry path.

During the installation process, Snake drops the kernel driver and DLL file. In detected Snake instances the file is named comadmin.dat and is in %windows%\system32\Com.

The last element of the Snake malware is Queue File which can be found in %windows%\Registration. This file contains the information necessary for a successful Snake operation e.g., communication channels and operation modes.

Snake utilizes its unique HTTP and raw socket TCP-based protocols for transmitting large volumes of data. These protocols, along with others, allow Snake to use a specific authentication process to differentiate its own data from regular data intended for application software on the compromised server. One of the standout features of Snake is its capability to function effectively as server software without needing to open additional ports on the compromised system. The authentication value specific to each implant is called the “ustart”, and it is stored in the implant’s Queue File. There are several versions of the ustart value, such as “ustart”, “ustart2”, and “ustartl”.

Instead of opening a listening socket on a specific TCP port, the Snake kernel module intercepts the first packet sent from the client to the server following the 3-way handshake in every TCP session. The kernel module then checks whether the contents of that packet match the ustart value for that particular Snake implant. If the values match, the Snake kernel module forwards that packet and all future packets from the same TCP session to Snake’s own processing functionality, leaving the application listening on that port (which is presumably legitimate) unaware of this TCP session. If the values do not match, the Snake kernel module allows the packet — and the rest of the TCP session — to reach the legitimate application, such as web server software.

Every version of the ustart performs authentication by sending a random number (known as a nonce) along with those results from a mathematical operation on the combination of the nonce and the ustart value itself. The receiving machine extracts the nonce and performs the same calculations to authenticate the sending machine. The ustart2 and ustartl versions use the Fowler-Noll-Vo (FNV) hash algorithm to generate the overall authentication value from the nonce and the ustart. This process varies slightly between the custom Snake HTTP protocol and the custom Snake TCP protocol.

By utilizing the ustart methodology, a node in the Snake peer-to-peer network can function as a server without needing to open any additional ports or interfere with the legitimate functionality of the compromised server. Snake will only communicate over TCP ports that are already being used by another application. This makes it much more challenging to detect Snake compromises through network traffic monitoring. Inbound traffic to an unexpected TCP port can be detected or blocked using a standard firewall or network intrusion detection functionality. Replacing a legitimate service application with a modified executable can lead to detection at either the host or network level. Snake’s technique bypasses both of these security measures. Furthermore, since Snake traffic appears similar to regular traffic, especially in the case of Snake’s HTTP-based protocols, detecting Snake communications becomes difficult without a detailed understanding of Snake’s custom protocols.

Researcher, Xavier Knol also mentioned that Snake uses methods for conducting C2 operations in a similar way as was done in term of BPFDoor – Linux Backdoor. This backdoor was widely described in Sandfly Security Analysis.

Recommendations

The Detection methods paragraph describes how to search for Snake instances in the host machines.

IoCs

At this moment IoCs are not available.

Detection methods

CISA (Cybersecurity and Infrastructure Security Agency) proposes a method for searching for Snake instances injected into a process written in Python programming language. The code is available at the end of the CISA Report

To hunt Snake malware, following YARA rule can be used:

/*

Hunting Russian Intelligence “Snake” Malware

The Snake implant is considered the most sophisticated cyber espionage tool designed and used by

Center 16 of Russia’s Federal Security Service (FSB) for long-term intelligence collection on sensitive

targets.

*/

 

rule Windows_Snake_Malware {

meta:

author = “Matt Suiche (Magnet Forensics)”

description = “Hunting Russian Intelligence Snake Malware”

creation_date = “2023-05-10”

threat_name = “Windows.Malware.Snake”

reference = “https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF”

severity = 100

scan_context = “memory”

license = “MIT”

os = “windows”

 

/* The original search only query those bytes in PAGE_EXECUTE_WRITECOPY VADs */

strings:

$a = { 25 73 23 31 }

$b = { 25 73 23 32 }

$c = { 25 73 23 33 }

$d = { 25 73 23 34 }

$e = { 2e 74 6d 70 }

$f = { 2e 74 6d 70 }

$g = { 2e 73 61 76 }

$h = { 2e 75 70 64 }

condition: all of them }

References

 

Glossary of terms

AES Advance Encryption Standard
DLL Dynamic-Link Library
EXE The file extension for executables
JPEG The file extension for image compression
HKLM Registry branch: HKEY_LOCAL_MACHINE
TLP Traffic Light Protocol
YARA The tool used for detecting and hunting malware
HTTP Hypertext Transfer Protocol
TCP Transmission Control Protocol
IoC Indicator of Compromise
C2 Command&Control Server
Posted on: May 17th, 2023

By Eviden CERT team

 

Share this article

Follow us on

Related links

Protecting your business to face cybersecurity challenges
Atos Managed Security Services – Advanced Detection and Response
Security Operation Center, SOC