Snake Malware Used in Multiple Campaigns
The Malware Is Sold on Dark Web Forums for $25.
The Snake password-stealing trojan that has been functioning since November 2020 is becoming increasingly prevalent among cybercriminals, becoming one of the most often exploited malware families in cyberattacks.
A Look Into Snake Malware
Snake malware is being sold on dark web forums for as little as $25, which might explain the increase observed in its use. The Snake malware is mostly used in phishing efforts when it is installed via malicious email attachments or by drop sites accessed by clicking on email links.
The Snake malware is an information-stealing malware that is implemented in the .NET programming language. We suspect that the malware authors themselves named the malware Snake, since the malware’s name is present in the data that Snake exfiltrates from compromised systems. Malicious actors distribute Snake as attachments to phishing emails with various themes, such as payment requests.
The attachments are typically archive files with file name extensions such as img, zip, tar, and rar, and store a .NET executable that implements the Snake malware.
Snake can steal credentials from over 50 programs, including email clients, web browsers, and instant messaging services, when installed on a PC.
As reported by BleepingComputer, some of the more popular programs targeted by Snake include Discord, Pidgin, FileZilla, Thunderbird, Outlook, Brave browser, Chrome, Edge, Firefox, Opera, Vivaldi, and Yandex.
What makes Snake interesting are specific features like keystroke logging, clipboard data theft capabilities, and the ability to capture screenshots of the entire screen, that will be eventually be uploaded back to the threat actor.
Theft of OS data, memory space information, geolocation, date-time information, IP addresses, and more are among the other characteristics.
How Does Snake Malware Work?
Snake defeats antivirus protections by eliminating linked programs and even network traffic analyzers like Wireshark to escape detection.
Snake then adds itself to the Windows Defender exclusion list, allowing it to execute dangerous PowerShell instructions undetected.
To ensure persistence, Snake creates a scheduled job and modifies a registry entry to run when a user signs in to Windows.
Finally, Snake provides its operators the option of selecting whatever characteristics they want to activate on the virus during the packaging step.
By minimizing the use of features in targeted assaults, this tweak helps them to remain undetected, and when it comes to data exfiltration, Snake uses either an FTP or SMTP server connection or an HTTPS POST on a Telegram endpoint.