Snake Malware

Introduction

Snake is a malware that was originally developed by the FSB (Federal Security Service of the Russian Federation) in late 2003 under the name “Uroburos”. The development ends in early 2004 and moments later it starts conducting cyber operations.

Snake has been one of the major tools used by Center 16 of the FSB. It has been in use for almost 20 years and FSB conducted a vast amount of operations with it. Snake is also a part of the Turla family toolset which is used by Russia.

Its usage has been detected in 50 countries around the globe since being in operational use. Countries targeted are from both North and South America, Europe, Africa, Asia, and Australia. Snake operators do not target specific industries but it is worth mentioning that the targets are selected purposefully. It has been used to collect data from government networks, research facilities, and journalists, as well as from diplomatic communication in NATO countries.

On 8^th May 2023, the FBI in a coordinated operation with other cybersecurity and intelligence agencies took down the infrastructure used by the Snake malware. The operation codename was MEDUSA.

Technical Details

jpinst.exe and jpsetup.exe are examples of Snake installer names and the installer is packed with customized methods. The unpacked code is obfuscated with legitimate open-source code for JPEG viewer. After unpacking the code it extracts an executable file. This file then extracts the encrypted AES blob from the executable. After decrypting the blob, many components are extracted from it. In extracted files are also other executables used by Snake malware. The encrypted blob can be found at HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds.

To avoid detection Snake uses an unusual level of stealth. It uses its kernel module to erase its components from any list available in the Windows machine. Also, it uses concealed storage mechanism (which is encrypted) to avoid detection. This makes it very difficult to detect Snake even when external searching tools are used.

Snake maintains its persistence in the system by registering a service. It usually is named WerFaultSvc and mimics the legitimate Windows service WerSvc. When the service is registered it launches WerFault.exe on system boot allowing Snake to persist after shutdown. Snake exe is hidden in %windows%\WinSxS\ directory among other legitimate Windows executables. WerFault.exe will decrypt the encrypted blob which is in the previously mentioned registry path.

During the installation process, Snake drops the kernel driver and DLL file. In detected Snake instances the file is named comadmin.dat and is in %windows%\system32\Com.

The last element of the Snake malware is Queue File which can be found in %windows%\Registration. This file contains the information necessary for a successful Snake operation e.g., communication channels and operation modes.

Snake utilizes its unique HTTP and raw socket TCP-based protocols for transmitting large volumes of data. These protocols, along with others, allow Snake to use a specific authentication process to differentiate its own data from regular data intended for application software on the compromised server. One of the standout features of Snake is its capability to function effectively as server software without needing to open additional ports on the compromised system. The authentication value specific to each implant is called the “ustart”, and it is stored in the implant’s Queue File. There are several versions of the ustart value, such as “ustart”, “ustart2”, and “ustartl”.

Instead of opening a listening socket on a specific TCP port, the Snake kernel module intercepts the first packet sent from the client to the server following the 3-way handshake in every TCP session. The kernel module then checks whether the contents of that packet match the ustart value for that particular Snake implant. If the values match, the Snake kernel module forwards that packet and all future packets from the same TCP session to Snake’s own processing functionality, leaving the application listening on that port (which is presumably legitimate) unaware of this TCP session. If the values do not match, the Snake kernel module allows the packet — and the rest of the TCP session — to reach the legitimate application, such as web server software.

Every version of the ustart performs authentication by sending a random number (known as a nonce) along with those results from a mathematical operation on the combination of the nonce and the ustart value itself. The receiving machine extracts the nonce and performs the same calculations to authenticate the sending machine. The ustart2 and ustartl versions use the Fowler-Noll-Vo (FNV) hash algorithm to generate the overall authentication value from the nonce and the ustart. This process varies slightly between the custom Snake HTTP protocol and the custom Snake TCP protocol.

By utilizing the ustart methodology, a node in the Snake peer-to-peer network can function as a server without needing to open any additional ports or interfere with the legitimate functionality of the compromised server. Snake will only communicate over TCP ports that are already being used by another application. This makes it much more challenging to detect Snake compromises through network traffic monitoring. Inbound traffic to an unexpected TCP port can be detected or blocked using a standard firewall or network intrusion detection functionality. Replacing a legitimate service application with a modified executable can lead to detection at either the host or network level. Snake’s technique bypasses both of these security measures. Furthermore, since Snake traffic appears similar to regular traffic, especially in the case of Snake’s HTTP-based protocols, detecting Snake communications becomes difficult without a detailed understanding of Snake’s custom protocols.

Researcher, Xavier Knol also mentioned that Snake uses methods for conducting C2 operations in a similar way as was done in term of BPFDoor – Linux Backdoor. This backdoor was widely described in Sandfly Security Analysis.

Recommendations

The Detection methods paragraph describes how to search for Snake instances in the host machines.

IoCs

At this moment IoCs are not available.

Detection methods

CISA (Cybersecurity and Infrastructure Security Agency) proposes a method for searching for Snake instances injected into a process written in Python programming language. The code is available at the end of the CISA Report

To hunt Snake malware, following YARA rule can be used:

References:

• https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-129a
• https://www.bleepingcomputer.com/news/security/fbi-nukes-russian-snake-data-theft-malware-with-self-destruct-command/
• https://twitter.com/FBI/status/1656013193561493504
• https://twitter.com/NSACyber/status/1655955816136990721
• https://gist.github.com/msuiche/8c8fd278430dda0292b4cfdfc549ca2d
• https://sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/

Glossary of terms