Cybercriminals flock to use the Snake password stealing Trojan, making it one of the most widely used malware families in attacks.
Snake has been active since November 2020 and is a different project from the ransomware operation that used the same name in the past.
Written in .NET and using the same staging mechanism as FormBook and Agent Tesla, Cybereason researchers take a look at how the growing threat works.
Wide range of malicious features
Cybercriminals are currently selling Snake on dark web forums for as little as $ 25, which could explain why we are seeing an increase in its deployment.
Mainly deployed in phishing campaigns, Snake installed itself via malicious attachments or via drop sites accessible by clicking on email links.
When installed on a computer, Snake is capable of stealing credentials from over 50 applications, including email clients, web browsers, and instant messaging platforms.
Some of the more popular programs targeted by Snake include:
- Thunder bird
- Courageous Navigator
Snake also offers keystroke logging, clipboard data theft capabilities and can even capture screenshots of the entire screen, which are then uploaded to the threat author.
Other features include operating system data theft, memory space information, geolocation, date and time information, IP addresses, etc.
Previous HP analysis has shown that malicious actors can use geolocation data to restrict installation based on the victim’s country.
Overall, it’s a versatile information thief for its cost and has managed to hide from security solutions.
To avoid detection, Snake disables antivirus defenses by killing associated processes and goes so far as to disable network traffic scanners such as Wireshark.
Snake is then added to Windows Defender’s exclusion list, allowing it to run malicious PowerShell commands undetected.
Snake adds a scheduled task and changes a registry key to run when a user logs into Windows to establish persistence.
Finally, it should be noted that Snake gives its operators the option of choosing which features they will activate on the malware during the packaging stage.
This personalization allows them to remain hidden by reducing the use of features in targeted attacks.
Finally, when it comes to data exfiltration, Snake uses either a connection to the FTP or SMTP server or an HTTPS POST on a Telegram endpoint.