# THREAT ANALYSIS REPORT: Snake Infostealer Malware **cybereason.com/blog/threat-analysis-report-snake-infostealer-malware** Written By Cybereason Global SOC Team October 28, 2021 | 16 minute read The Cybereason Global Security Operations Center (GSOC) issues Cybereason Threat Analysis reports to inform on impacting threats. The Threat Analysis reports investigate these threats and provide practical recommendations for protecting against them. In this Threat Analysis report, the GSOC investigates Snake, a feature-rich information-stealing malware. This report provides an overview of key information-stealing features of the Snake malware and discusses similarities that we discovered in the staging mechanisms of samples from Snake and two common information-stealing malware programs, FormBook and Agent Tesla. ----- ## Key Findings: **Serious threat to privacy and security: Snake is a feature-rich information-stealing malware. Snake has keystroke logging as** well as clipboard data, screenshot, and credential theft capabilities. Snake can steal credentials from over 50 applications, which include File Transfer Protocol (FTP) clients, email clients, communication platforms, and web browsers. Snake can exfiltrate stolen data through a variety of protocols, such as FTP, Simple Mail Transfer Protocol (SMTP), and Telegram. **No industry or geographical preferences: Snake has been present in the threat landscape since November 2020 and has been** a constant threat to users’ privacy and security since then. The Cybereason GSOC observed a spike in infections using the Snake malware in late August 2021 with no specific trend in the industry or the geographical locations of the targeted victims. **Detected and prevented: The** [Cybereason Defense Platform effectively detects and prevents the Snake malware.](https://www.cybereason.com/platform) **Cybereason Managed Detection and Response (MDR): The Cybereason GSOC has zero tolerance towards attacks that involve** information-stealing malware, such as Snake, and categorizes such attacks as critical, high-severity incidents. The Cybereason GSOC MDR Team issues a comprehensive report to customers when such an incident occurs. The report provides an in-depth overview of the incident, which helps to scope the extent of compromise and the impact on the customer’s environment. In addition, the report provides attribution information when possible as well as recommendations for mitigating and isolating the threat. ## Introduction The Snake malware is an information-stealing malware that is implemented in the .NET programming language. We suspect that the malware authors themselves named the malware Snake, since the malware’s name is present in the data that Snake exfiltrates from compromised systems. Malicious actors distribute Snake as attachments to phishing emails with various themes, such as payment requests. The attachments are typically archive files with file name extensions such as img, zip, tar, and rar, and store a .NET executable that implements the Snake malware. Users have to first decompress and then start the .NET executable to infect their systems. The executable stages the information-stealing features of the Snake malware on compromised systems and establishes persistence: _The data that the Snake malware exfiltrates contains the malware’s name_ [Snake first appeared on the threat landscape in late November 2020. The malware is currently available for purchase in the underground](https://blog.checkpoint.com/2021/08/12/july-2021s-most-wanted-malware-snake-keylogger-enters-top-10-for-first-time/) scene for a price range between US $25 and $500. Malicious actors have been distributing Snake continuously through phishing campaigns since November 2020. The Cybereason GSOC observed a spike in infections using the Snake malware in late August 2021 with no specific trend in the industry or the geographical locations of the targeted victims. Snake is a feature-rich malware and poses a significant threat to users’ privacy and security. Snake has keystroke logging as well as clipboard data, screenshot, and credential theft capabilities. We observed that Snake can steal credentials from over 50 applications, which include FTP clients, mail clients, communication platforms, and web browsers. Snake supports data exfiltration through a variety of protocols, such as FTP, SMTP, and Telegram. [Researchers have identified many similarities between the code of the information-stealing features of Snake and the code of the Matiex](https://threatresearch.ext.hp.com/the-many-skins-of-snake-keylogger/) malware. Although the source code of Matiex has been available for purchase in the underground scene since February 2021, the informationstealing features of Snake samples that date earlier than February 2021 have code that is very similar to Matiex code. In this report, we show that in addition to the information-stealing features of Snake, the staging mechanism of Snake samples is almost identical to that of two common information-stealing malware programs, FormBook and Agent Tesla. ## Analysis ### The Snake Staging Mechanism Malicious actors distribute the Snake malware as attachments in phishing emails. These attachments are typically archive files that store a .NET Windows executable, which stages the information-stealing features of Snake on compromised systems and establishes persistence. In this report, we focus on a Snake sample with a secure hash algorithm (SHA)-1 hash 392597dabf489b682dd10c20d2d84abc3b49abaa and a filename SeptemberOrderlist.pdf.exe: ----- _Phishing emails that distribute the Snake malware_ When a user runs the compressed .NET Snake executable, SeptemberOrderlist.pdf.exe, the executable unpacks (i.e., decodes and decrypts) a base-64 encoded and encrypted .NET assembly. The Snake executable stores the encoded and encrypted code of this assembly in a string variable. SeptemberOrderlist.pdf.exe decrypts the code of the .NET assembly by using a symmetric encryption key of the Triple Data Encryption Standard (DES) encryption algorithm. The name of the decrypted .NET assembly is representative. SeptemberOrderlist.pdf.exe then loads and executes the representative assembly by instantiating an Panamera.Porsche object that the assembly implements: ----- _Snake decrypts the .NET assembly representative using the Triple DES encryption algorithm_ One of the functionalities of the representative assembly is decoding and loading an image resource of SeptemberOrderlist.pdf.exe called _TaskWrapperAsyncResu . To avoid detection by sandbox analysis engines, the representative assembly decodes TaskWrapperAsyncResu_ after a random sleep time of 38–47 seconds. The decoded TaskWrapperAsyncResu image resource is another .NET assembly named _CF_Secretaria:_ _The representative assembly decodes and loads the CF_Secretaria assembly_ ----- _The CF_Secretaria assembly is encoded as an image resource_ Among other activities, the CF_Secretaria assembly establishes persistence of the Snake malware on the compromised system as follows: _CF_Secretaria copies the Snake executable, SeptemberOrderlist.pdf.exe, in the user’s AppData folder under a random name, such_ as C:\Users\User\AppData\Roaming\vxhnIvyvbHAK.exe. The name vxhnIvyvbHAK may differ for different samples of the Snake malware. _CF_Secretaria creates an Extensible Markup Language (XML)-formatted scheduled task configuration file with the file name_ extension .tmp in the user’s temporary folder, such as C:\Users\User\AppData\Local\Temp\tmp55AB.tmp. _CF_Secretaria creates a scheduled task named, for example, Updates\vxhnIvyvbHAK. To create this scheduled task,_ _CF_Secretaria issues the following command:_ _C:\Windows\System32\schtasks.exe /Create /TN Updates\vxhnIvyvbHAK /XML C:\Users\User\AppData\Local\Temp\tmp55AB.tmp_ The scheduled task executes the C:\Users\User\AppData\Roaming\vxhnIvyvbHAK.exe executable—that is, the Snake malware—at user logon: _CF_Secretaria creates an XML-formatted scheduled task configuration file_ The staging process results in the execution of another instance of SeptemberOrderlist.pdf.exe. This instance of SeptemberOrderlist.pdf.exe maps in its context and executes the final payload, an obfuscated .NET assembly that implements the information-stealing features of Snake, which we discuss in the The Features of Snake section below: ### Snake Meets FormBook and Agent Tesla The staging mechanisms of recent samples of the FormBook and Agent Tesla malware are almost identical to those of Snake samples. FormBook has extensive information-stealing capabilities, such as keystroke logging, credential theft, and screenshot theft. The FormBook malware has been available for sale in the underground scene since early 2016 as a one-time purchase or as malware-as-a-service following a subscription model. Agent Tesla is a common remote access tool (RAT) and information-stealing malware, first discovered in late 2014. Agent Tesla is also available for sale in the underground scene. ----- e o o g tab e p ese ts e a p e S a e, o oo, a d ge t es a sa p es t at a e s a stag g ec a s s e o p o de a detailed overview of the similarities between the staging mechanisms of the Snake and FormBook samples: **Snake** **SHA-1 Hash** [392597dabf489b682dd10c20d2d84abc3b49abaa](https://www.virustotal.com/gui/file/132482335f028ceb6094d9c29442faf900d838fb054eebbbf39208bb39ccf5ae) **First submission to VirusTotal** 2021-09-09 **FormBook** **SHA-1 Hash** [43d8881c9bda6344a352d2744913dda5c64ea843](https://www.virustotal.com/gui/file/8c84e97b71aa8d34be8742cd4b6c0b86abdfb92379b099465eb751b0882efb23) **First submission to VirusTotal** 2021-08-26 **Agent Tesla** **SHA-1 Hash** [ae2e277a848421b4be46f1c6ccff727b5a07d90c](https://www.virustotal.com/gui/file/d82098335a9c8d105f145c404633541be0dc8e2c4749026cd7b29f6ea8044f44) **First submission to VirusTotal** 2021-08-26 The Snake and FormBook samples unpack the same .NET assembly, representative, from a string variable. The way in which the actors behind Snake and FormBook samples pack the representative assembly in the variable may differ across samples. In addition, both samples load and execute the representative assembly by instantiating a Panamera.Porsche object that the assembly implements: (a) (b) _The representative assembly loaded by Snake (a) and FormBook (b)_ ----- (a) (b) _Snake (a) and FormBook (b) instantiate a Panamera.Porsche object_ The representative assemblies unpacked by the Snake and the FormBook sample decode image resources of the respective samples. The decoded image resources are the same .NET assembly, called CF_Secretaria, which the representative assemblies load after decoding: (a) (b) _The CF_Secretaria assembly loaded by Snake (a) and FormBook (b)_ ----- e stag g ec a s s o t e S a e a d o oo sa p es s g ca t y d e ge at t e po t o dep oy e t o t e a pay oads, o t e information-stealing features of Snake and FormBook. The final payload of the Snake sample is a .NET assembly that runs in the context of a separate instance of the sample, while the final payload of the FormBook sample is a native Windows executable. The FormBook sample injects its final payload in legitimate Windows processes, such as explorer.exe and wlanext.exe. Previous research documents the deployment of the final payload of the FormBook sample in greater detail: (b) (a) _Process tree: The deployment of the final payload of the Snake sample (a) and the FormBook_ _sample (b)_ The fact that the staging mechanisms of the Snake and other common information-stealing malware, such as FormBook and Agent Tesla, are almost identical indicates that the actors behind the Snake sample that we analyzed may have purchased or otherwise obtained the staging mechanism from other actors on the malware marketplace. The same actors might also distribute the Snake, FormBook and Agent Tesla samples that share the staging mechanism. [Adding the strong indications that the staged information-stealing features of the Snake malware themselves are based on the Matiex](https://threatresearch.ext.hp.com/the-many-skins-of-snake-keylogger/) malware, the former scenario shows how easy it is for malware developers to create new malware by code reuse. Although this report focuses on samples of the Snake, FormBook, and Agent Tesla malware, other malware could use the same staging mechanism as the samples that we analyzed. ## The Features of Snake This section provides an overview of key information-stealing features of the Snake sample that we analyzed, SeptemberOrderlist.pdf.exe. We [emphasize that different Snake samples do not use all implemented features. Previous research indicates that malicious actors build Snake](https://threatresearch.ext.hp.com/the-many-skins-of-snake-keylogger/) samples by using a builder tool that integrates all Snake features in built samples, but enables only the features selected by the actors. For persistence, in addition to creating a scheduled task by using its staging mechanism, Snake can also edit the registry key: _HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run to execute itself at user logon._ To avoid detection, Snake can disable solutions that may detect the malware’s operation by killing associated processes, such as the avastui process, which is related to the Avast antivirus, and the wireshark process, which is related to the Wireshark network traffic analyzer. The table below lists the names of the processes that Snake stops. In addition, Snake can add itself to the exclusion list of the Windows Defender security mechanism by executing the PowerShell command powershell.exe Add-MpPreference _-ExclusionPath and specifying the_ path to the Snake executable: zlclient egui bdagent npfmsg olydbg anubis wireshark avastui _Avp32 vsmon mbam keyscrambler Icload95 Icloadnt Icmon Icsupp95 Icsuppnt Iface Iomon98 Jedi Lockdown2000 Lookout Luall MCAFEE Vsecomr Vshwin32 Vsstat Webscanx WEBTRAP Wfindv32 Zonealarm LOCKDOWN2000 RESCUE32 LUCOMSERVER avgcc avgcc ----- _ p _Avpm Ackwin32 Outpost Anti-Trojan ANTIVIR Apvxdwin ATRACK Autodown Avconsol Ave32 Avgctrl Avkserv Avnt Avp Avp32 Avpcc Avpdos32 Avpm Avptc32 Avpupd Avsched32 AVSYNMGR Avwin95 Avwupd32 Blackd Blackice Cfiadmin Cfiaudit Cfinet Cfinet32 Claw95 Claw95cf Cleaner Cleaner3 Defwatch Dvp95 Dvp95_0 Ecengine Esafe Espwatch F Agnt95 Mpftray N32scanw NAVAPSVC NAVAPW32 NAVLU32 Navnt NAVRUNR Navw32 Navwnt NeoWatch NISSERV Nisum Nmain Normist NORTON Nupgrade Nvc95 Outpost Padmin Pavcl Pavsched Pavw PCCIOMON PCCMAIN Pccwin98 Pcfwallicon Persfw POP3TRAP PVIEW95 Rav7 Rav7win Rescue Safeweb Scan32 Scan95 Scanpm Scrscan Serv95 Smc SMCSERVICE Snort g avgupsvc avgw avgcc32 avgserv avgserv9 avgserv9schedapp avgemc ashwebsv ashdisp ashmaisv ashserv aswUpdSv symwsc norton Norton Auto-Protect norton_av nortonav ccsetmgr ccevtmgr avadmin avcenter avgnt avguard avnotify avscan guardgui nod32krn nod32kui clamscan clamTray clamWin freshclam oladdin sigtool w9xpopen Wclose cmgrdian alogserv mcshield vshwin32 avconsol ----- Fprot F-Prot F-Prot95 Fp-Win Frw F-Stopw Iamapp Iamserv Ibmasn Ibmavsp p Sweep95 SYMPROXYSVC Tbscan Tca Tds2-98 Tds2-Nt TermiNET Vet95 Vettray Vscan40 avsynmgr avcmd avconfig licmgr sched preupd MsMpEng MSASCui Avira.Systray _The names of the processes that the Snake malware kills_ _The Snake malware kills processes_ Snake has a self-deletion feature such that the malware deletes itself using the del command after a timeout of three seconds once Snake has started the self-deletion process: ----- _e S a e_ _a_ _a e ca_ _de ete tse_ Snake can gather the following type of information about the compromised environment in which the malware runs: Operating system and hardware information: Snake obtains the operating system name and version, amount of hard disk and physical memory, and machine name. Geolocation and date-time information: Snake issues requests to the web services checkip.dyndns.org and freegeoip.app to discover the IP address of the operating system on which Snake runs, and the system’s geolocation based on the IP address. [Previous research states that the Snake malware uses the above information to decide whether to fully execute on a compromised system.](https://threatresearch.ext.hp.com/the-many-skins-of-snake-keylogger/) The Snake sample that we analyzed does not do this, but only exfiltrates the geolocation and date/time information among other stolen data: _The Snake malware gathers operating system, hardware, geolocation, and date-time information_ Snake has many information-stealing features and poses a significant threat to users’ privacy and security. The figure below depicts a systematization of the information-stealing features of the Snake malware: ----- _A systematization of the information-stealing features of Snake_ ### Keystroke Logging [The Snake malware uses the SetWindowsHookExA and](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-setwindowshookexa) _[CallNextHookEx functions to capture key press events. Snake logs the key when a](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-callnexthookex)_ user presses a system key, that is, a key that a user presses after the F10 key or together with the ALT key. Snake also logs the key when a user presses a non-system key—a key that a user presses without pressing the ALT key at the same time. Snake stores logged keystrokes in a variable: ----- _e S a e_ _a_ _a e ogs eyst o es_ ### Clipboard Data Theft [Snake invokes the IsClipboardFormatAvailable function to determine whether clipboard data in Unicode text format (Microsoft Standard](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-isclipboardformatavailable) [Clipboard Format CF_UNICODETEXT) is available. Snake then invokes the OpenClipboard function to open and lock the Clipboard data,](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-openclipboard) [followed by the GetClipboardData function to retrieve the data in Unicode text format.](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-getclipboarddata) [In addition, the Snake malware uses the ClipboardProxy.GetText function to retrieve clipboard data in standard American National Standards](https://docs.microsoft.com/en-us/dotnet/api/microsoft.visualbasic.myservices.clipboardproxy.gettext?view=windowsdesktop-5.0) Institute (ANSI) or Unicode text format. Snake stores clipboard data in a variable: _The Snake malware retrieves clipboard data_ ### Screenshot Theft [The Snake malware uses the Graphics.CopyFromScreen function to take a screenshot of the entire screen. Snake stores the screenshot in](https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen?view=windowsdesktop-5.0) the %MyDocuments%\SnakeKeylogger\Screenshot.png file. Snake creates the %MyDocuments%\SnakeKeylogger directory if the directory does not exist. After taking a screenshot, Snake first exfiltrates the Screenshot.png file as we describe in the Data Exfiltration section, and then deletes the file: _The Snake malware takes and stores screenshots_ ### Credential Theft Snake can steal saved credentials from credential databases of communication platforms, FTP clients, email clients, and web browsers. The table below lists the applications (column ‘Application’) from which Snake can steal saved credentials and the locations of the applications’ credential databases (column ‘Credential database’) that Snake accesses to retrieve credentials. The sample of the Snake malware we analyzed can steal credentials from 59 applications, out of which 52 are web browsers. In the table below: _%AppData% and %LocalAppData% are Windows environment variables that resolve to filesystem paths, such as_ _C:\Users\user\AppData and C:\Users\user\AppData\Local_ _%FoxmailInstallation% refers to an installation directory of the Foxmail email client, such as C:\Program Files\Foxmail 7.2, and_ _[$email refers to a configured email address, such as test@domain.com](http://10.10.0.46/mailto:test@domain.com)_ **Application** **Credential databa** **Communication platforms** Discord _%AppData%\disco_ ----- Pidgin _%AppData%\.purp_ **FTP clients** FileZilla _%AppData%\FileZ_ **Mail clients** Foxmail _$FoxmailInstallatio_ Outlook _HKEY_CURRENT_ _[Email\IMAP Pass_ _HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging_ _Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\[Email\IMAP Password\POP3 Password\HTTP_ _Password\SMTP Password]_ _HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging_ _Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\[Email\IMAP Password\POP3 Password\HTTP_ _Password\SMTP Password]_ _HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\_ _[Email\IMAP Password\POP3 Password\HTTP Password\SMTP Password]_ PostBox _%AppData%\Post_ Thunderbird _%AppData%\Thun_ **Web browsers** 360 Browser _%LocalAppData%_ 360Chrome _%LocalAppData%_ 7 Star _%LocalAppData%_ Amigo _%LocalAppData%_ Avast Secure Browser _%LocalAppData%_ BlackHawk _%LocalAppData%_ Blisk _%LocalAppData%_ Brave _%LocalAppData%_ CentBrowser _%LocalAppData%_ Chedot _%LocalAppData%_ Chrome _%LocalAppData%_ Chrome Canary _%LocalAppData%_ ChromePlus _%LocalAppData%_ ----- Chromium _%LocalAppData%_ Citrio _%LocalAppData%_ Coc Coc _%LocalAppData%_ Comodo Dragon _%LocalAppData%_ Coowon _%LocalAppData%_ Cyberfox _%AppData%\8pec_ Edge _%LocalAppData%_ Elements _%LocalAppData%_ Epic _%LocalAppData%_ Firefox _%AppData%\Mozi_ Ghost Browser _%LocalAppData%_ IceCat _%AppData%\Mozi_ IceDragon _%AppData%\Com_ Iridium _%LocalAppData%_ Kinza _%LocalAppData%_ Kometa _%LocalAppData%_ Liebao _%LocalAppData%_ Nichrome _%LocalAppData%_ Opera _%AppData%\Oper_ Opera _%AppData%\Oper_ Orbitum _%LocalAppData%_ Pale Moon _%AppData%\Moo_ QIP Surf _%LocalAppData%_ QQBrowser _%LocalAppData%_ SalamWeb _%LocalAppData%_ SeaMonkey _%AppData%\Mozi_ Sleipnir _%AppData%\Fenr_ ----- SlimBrowser _%AppData%\Flash_ Slimjet _%LocalAppData%_ Sputnik _%LocalAppData%_ SuperBird _%LocalAppData%_ Torch _%LocalAppData%_ UC Browser _%LocalAppData%_ Uran _%LocalAppData%_ Vivaldi _%LocalAppData%_ Waterfox _%AppData%\Wate_ Xpom _%LocalAppData%_ Xvast _%LocalAppData%_ Yandex _%LocalAppData%_ _Applications and their credential databases from which Snake can steal credentials_ In addition to communication platforms, FTP clients, email clients, and web browsers, Snake can steal saved credentials of wireless networks. To do this, Snake first invokes the netsh wlan show profile command to list existing wireless network profiles and then retrieves these from the command output. Wireless network profiles are sets of network settings that include saved credentials. Snake then invokes the netsh wlan show profile _name=”%name%” key=clear command for each profile, where %name is the profile name, and retrieves from the command output the_ unencrypted saved password stored as part of the profile. The Snake malware can steal the Product Key of the Windows instance on which the malware runs. To do this, Snake retrieves and decodes the registry value HKEY_LOCAL_MACHINE\ Software\Microsoft\Windows NT\CurrentVersion\DigitalProductID. The credential databases of the communication platforms, FTP clients, email clients, and web browsers that Snake targets typically store credentials in encrypted form. Snake decrypts credentials, stores the decrypted credentials in a variable, and exfiltrates the credentials as we describe in the Data Exfiltration section. Most of the web browsers from which Snake steals credentials store credentials either in Login Data files (primarily used by Chromium-based browsers) or logins.json files (primarily used by Gecko-based browsers). _Login Data files are SQLite databases. These databases have a logins table that stores credential-protected Uniform Resource Locators_ (URLs) in the origin_url field, and the saved usernames and passwords for the URLs in the username_value and password_value fields, respectively. The passwords are encrypted. Recent versions of Chromium-based browsers encrypt saved passwords with a symmetric Advanced Encryption Standard (AES)-256 encryption key. The browsers store the AES key in an encrypted form on the file system, in a Local State file placed in the %LocalAppData% directory, for example, %LocalAppData%\Google\Chrome\User Data\Local State. Browsers encrypt the AES key using the Microsoft Data Protection Application Programming Interface (DPAPI) encryption mechanism, which supports two data protection (encryption) scopes: i) user, which encrypts data using a user-specific encryption key such that only a specific logged in user can decrypt the data, and ii) machine, which encrypts data using a machine-specific encryption key such that any user logged in a specific machine can decrypt the data. Older versions of Chromium-based browsers do not use AES to encrypt saved passwords, but encrypt saved passwords directly using the DPAPI mechanism in _user protection scope._ The Snake malware can decrypt passwords that a Chromium-based browser has encrypted directly using DPAPI or an AES key first: ----- S a e dec ypts pass o ds by us g _use p otect o_ scope a d o [g t e C yptU p otect ata u ct o](https://docs.microsoft.com/en-us/windows/win32/api/dpapi/nf-dpapi-cryptunprotectdata) Snake first decrypts an AES encryption key stored in a Local State file by using DPAPI in user protection mode and invoking the _[ProtectedData.Unprotect function, and then decrypts the saved password by using the AES encryption key and invoking the](https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.protecteddata.unprotect?view=windowsdesktop-5.0&viewFallbackFrom=net-5.0)_ _[BCryptDecrypt function:](https://docs.microsoft.com/en-us/windows/win32/api/bcrypt/nf-bcrypt-bcryptdecrypt)_ _The Snake malware decrypts passwords stored in a Login Data file_ The logins.json files are JavaScript Object Notation(JSON)-formatted files that store encrypted usernames in the encryptedUsername field and encrypted passwords in the encryptedPassword field. Gecko-based browsers encrypt saved usernames and passwords using the Triple-DES algorithm. Mozilla’s [Network Security Services (NSS) library implements the PKCS11_Decrypt function that decrypts credentials encrypted by Gecko-](https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Introduction_to_Network_Security_Services) based browsers: ----- _The Snake malware decrypts credentials stored in a logins.json file_ The Snake malware decrypts credentials that logins.json files store as follows: 1. Snake locates and loads the dynamic-link library (DLL) file that implements the NSS library, nss3.dll, and initializes NSS by invoking the NSS_Init function. 2. Snake searches for nss3.dll in multiple locations in the %ProgramFilesX86% and %ProgramFiles% directories. 3. Snake decrypts encrypted usernames and passwords by invoking the PK11SDR_Decrypt function. 4. Snake shuts down the NSS library by invoking the NSS_Shutdown function. ### Data Exfiltration Snake can exfiltrate logged keystrokes and stolen credentials, clipboard data, and screenshots using the following protocols: FTP: Snake logs into an attacker-controlled FTP server and issues the STOR command to upload the stolen data to the server. Snake stores the uploaded data on the FTP server in: a file with the file name extension .txt and a name that contains Passwords ID, keystroke Logs ID, or Clipboard Logs ID, when the data is credentials, logged keystrokes, or clipboard data, respectively. a file with the file name extension .png and a name that contains Screenshot Logs ID, when the data is a screenshot. SMTP: Snake logs into an attacker-controlled SMTP server, and then composes and sends to a malicious email address an email message that has attachments. The attachments store the stolen data. The attachments are files: with the filename Clipboard.txt or Keystrokes.txt, when the stolen data is clipboard data or logged keystrokes, respectively. with the file name Passwords.txt and User.txt, when the stolen data is credentials, that is, passwords and usernames, respectively. with the filename Screenshot.png, when the stolen data is a screenshot. Telegram/HyperText Transfer Protocol Secure (HTTPS): Snake issues a POST request to the Telegram endpoint api.telegram.org to send a document to an attacker-controlled Telegram chat. The document contains the stolen data. The document has the file name Clipboard.txt, Screenshot.png, SnakeKeylogger.txt, or SnakePW.txt, when the data is clipboard data, screenshot, logged keystrokes, or credentials, respectively. Snake can exfiltrate logged keystrokes, screenshots, clipboard data, and credentials on a regularly timed interval: ----- ## The Snake malware exfiltrates stolen credentials through SMTP Cybereason Detects and Prevents Snake Malware The [Cybereason Defense Platform is able to detect and prevent the execution of the Snake malware using multi-layer protection that detects](https://www.cybereason.com/platform) and blocks malware with threat intelligence, machine learning, and next-gen antivirus (NGAV) capabilities: _The Cybereason Defense Platform detects and blocks Snake malware_ ## Cybereason GSOC MDR Recommendations The Cybereason GSOC recommends the following: ----- ab e t e _t_ _a_ _a e eatu e o_ t e Cybe easo G a d e ab e t e _[etect a d](https://nest.cybereason.com/documentation/product-documentation/190/anti-malware-settings)_ _e e t_ odes o t s eatu e Securely handle email messages that originate from external sources. This includes disabling hyperlinks and investigating the content of email messages to identify phishing attempts. Use secure passwords, regularly rotate passwords, and use multi-factor authentication where possible. Regularly monitor outgoing network traffic for data exfiltration activities. Threat Hunting with Cybereason: The Cybereason MDR team provides its customers with custom hunting queries for detecting [specific threats - to find out more about threat hunting and Managed Detection and Response with the Cybereason Defense](https://www.cybereason.com/platform/managed-detection-response-mdr) Platform, [contact a Cybereason Defender here.](https://www.cybereason.com/services/managed-detection-response-mdr#form) [For Cybereason customers: More details available on the NEST including custom threat hunting queries for detecting this](https://nest.cybereason.com/knowledgebase/3502086) threat. Cybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere. Schedule a demo [today to learn how your organization can benefit from an operation-centric approach to security.](https://www.cybereason.com/blog/the-cybereason-malop-achieving-operation-centric-security) ## MITRE ATT&CK Techniques **Initial Access** **Execution** **Persistence** **Defense Evasion** **Credential** **Access** **Discovery** **Collection** **Exfiltration** Phishing: [Spearphishing](https://attack.mitre.org/techniques/T1566/001/) Attachment User Execution: Malicious File Scheduled Task/Job: Scheduled Task Boot or Logon Autostart [Execution: Registry Run](https://attack.mitre.org/techniques/T1547/001/) Keys / Startup Folder Indicator Removal [on Host: File](https://attack.mitre.org/techniques/T1070/004/) Deletion [Modify registry](https://attack.mitre.org/techniques/T1112/) Unsecured Credentials: Credentials in Registry Impair Defenses: [Disable or Modify](https://attack.mitre.org/techniques/T1562/001/) Tools Impair Defenses: [Disable or Modify](https://attack.mitre.org/techniques/T1562/004/) System Firewall Unsecured Credentials: Credentials In Files File and [Directory](https://attack.mitre.org/techniques/T1083/) Discovery System [Information](https://attack.mitre.org/techniques/T1082/) Discovery System [Location](https://attack.mitre.org/techniques/T1614/) Discovery System Network Configuration Discovery System Time Discovery Clipboard Data Data from [Local](https://attack.mitre.org/techniques/T1005/) System Input [Capture:](https://attack.mitre.org/techniques/T1056/001/) Keylogging Screen Capture Automated Exfiltration Exfiltration Over Alternative Protocol Scheduled Transfer ## About the Researchers: **Aleksandar Milenkoski,Senior Threat and Malware Analyst, Cybereason Global SOC** Aleksandar Milenkoski is a Senior Threat and Malware Analyst with the Cybereason Global SOC team. He is involved primarily in reverse engineering and threat research activities. Aleksandar has a PhD in system security. Prior to Cybereason, his work focussed on research in intrusion detection and reverse engineering security mechanisms of the Windows 10 operating system. **Brian Janower, Security Analyst, Cybereason Global SOC** Brian Janower is a Security Analyst with the Cybereason Global SOC (GSOC) team. He is involved in malware analysis and triages security incidents effectively and precisely. Brian has a deep understanding of the malicious operations prevalent in the current threat landscape. He is in the process of obtaining a Bachelor of Science degree in Systems Information & Cyber ----- ### d cato s o Co p o se **Executables** SHA-256 hash: 132482335f028ceb6094d9c29442faf900d838fb054eebbbf39208bb39ccf5ae File size: 691200 bytes **Scheduled tasks** _Updates\vxhnIvyvbHAK_ Note: The name vxhnIvyvbHAK may differ for different samples of the Snake malware **Domains** _checkip.dyndns.org_ _freegeoip.app_ About the Author **Cybereason Global SOC Team** The Cybereason Global SOC Team delivers 24/7 Managed Detection and Response services to customers on every continent. Led by cybersecurity experts with experience working for government, the military and multiple industry verticals, the Cybereason Global SOC Team continuously hunts for the most sophisticated and pervasive threats to support our mission to end cyberattacks on the endpoint, across the enterprise, and everywhere the battle moves. [All Posts by Cybereason Global SOC Team](https://www.cybereason.com/blog/authors/cybereason-global-soc-team) -----