Snake malware biting laborious on 50 apps for under $25



Cybercriminals are flooding to make use of the Snake password-stealing trojan, making it one of many well-liked malware households utilized in assaults.
Snake has been lively since November 2020 and is a distinct undertaking from the ransomware operation that used the identical identify previously.
Written in .NET and utilizing the identical staging mechanism as FormBook and Agent Tesla, researchers from Cybereason take a deep dive into how the rising menace operates.
Wide selection of malicious options
Cybercriminals presently promote Snake on darkish net boards for as little as $25, which may very well be why we see a spike in its deployment.
Primarily deployed in phishing campaigns, Snake put in by way of malicious electronic mail attachments or via drops websites reached by clicking on electronic mail hyperlinks.
When put in on a pc, Snake is able to stealing credentials from over 50 apps, together with electronic mail shoppers, net browsers, and IM platforms.
Among the extra well-liked packages focused by Snake embody:
Courageous browser
Snake additionally options keystroke logging, clipboard knowledge theft capabilities and might even seize screenshots of your complete display, that are then uploaded again to the menace actor.

Snake’s stealing functionality diagramSource: Cybereason
Different options embody stealing OS knowledge, reminiscence house data, geolocation, date-time info, IP addresses, and extra.
A earlier evaluation from HP has proven that menace actors could use the geolocation knowledge to limit set up primarily based on the sufferer’s nation.
All in all, it is a versatile info-stealer for its value and has been profitable at hiding from safety options.
Evading detection
To keep away from detection, Snake disables AV defenses by killing the related processes and goes so far as to disable community site visitors analyzers comparable to Wireshark.
Snake then provides itself to the exclusion record of the Home windows Defender, permitting it to execute malicious PowerShell instructions with out being detected.
Snake provides a scheduled activity and edits a registry key to execute when a person logs in to Home windows to ascertain persistence.
Lastly, it’s noteworthy that Snake provides its operators the flexibility to decide on what options they are going to activate on the malware throughout the packing stage.
This customization permits them to remain hidden by lowering the usage of options in focused assaults.
Lastly, in terms of knowledge exfiltration, Snake makes use of both an FTP or SMTP server connection or an HTTPS POST on a Telegram endpoint.