Analytics Story: Snake Malware

Date: 2023-05-10 ID: 032bacbb-f90d-43aa-bbcc-d87f169a29c8 Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Description

The Snake implant is considered the most sophisticated cyber espionage tool designed and used by Center 16 of Russia's Federal Security Service (FSB) for long-term intelligence collection on sensitive targets.

Why it matters

The Snake implant is considered the most sophisticated cyber espionage tool designed and used by Center 16 of Russia's Federal Security Service (FSB) for long-term intelligence collection on sensitive targets. To conduct operations using this tool, the FSB created a covert peer-to-peer (P2P) network of numerous Snake-infected computers worldwide. Many systems in this P2P network serve as relay nodes which route disguised operational traffic to and from Snake implants on the FSB's ultimate targets. Snake's custom communications protocols employ encryption and fragmentation for confidentiality and are designed to hamper detection and collection efforts. We consider Snake to be the most sophisticated cyber espionage tool in the FSB's arsenal. The sophistication of Snake stems from three principal areas. First, Snake employs means to achieve a rare level of stealth in its host components and network communications. Second, Snake's internal technical architecture allows for easy incorporation of new or replacement components. This design also facilitates the development and interoperability of Snake instances running on different host operating systems. We have observed interoperable Snake implants for Windows, MacOS, and Linux operating systems. Lastly, Snake demonstrates careful software engineering design and implementation, with the implant containing surprisingly few bugs given its complexity. (CISA, 2023)

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Windows Service Created with Suspicious Service Path System Services, Service Execution TTP
Windows Service Created Within Public Path Create or Modify System Process, Windows Service TTP
Windows Snake Malware File Modification Crmlog Obfuscated Files or Information TTP
Windows Snake Malware Kernel Driver Comadmin Kernel Modules and Extensions TTP
Windows Snake Malware Registry Modification wav OpenWithProgIds Modify Registry TTP
Windows Snake Malware Service Create Kernel Modules and Extensions, Service Execution TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log System 7045 Windows icon Windows xmlwineventlog XmlWinEventLog:System

References

Source: GitHub | Version: 1