[MART] - Daily Diary #381 - Meet Snake Info Stealer

CTAS-MAT ctas-mat at appgate.com
Mon Nov 1 18:08:09 UTC 2021


Hello,

I hope everyone is doing well!

Below is the entry for today.

11/01/2021 - Diary entry #381:

Snake is an info stealer malware written in .NET, active since November 2020, and distributed as attachments to phishing emails posing as payment requests. It's important to note that this malware has no relation with the Snake Ransomware, covered in our Daily Diaries #52 and #184. Snake is available for purchase in underground forums for a price range between $25 and $500 US dollars. Its main purpose is to steal credentials and exfiltrate data from over 50 different software.

As soon as the victim executes Snake executable loader, it decodes a base 64 encoded and encrypted .NET assembly. Then, it decrypts and executes the assembly code using a symmetric encryption key of the DES encryption algorithm. This first stage is responsible for establishing persistence on the compromised machine and executing the final payload.

Each Snake final stage payload can have different features since the threat actors who purchased the malware tool kit have the ability to customize the samples. Among those features, Snake can have an alternative persistence mechanism, disable security and analysis solutions by killing processes, self-deletion mechanism, and harvest information from the compromised machine environment to avoid analysis. Finally, it has many information-stealing features like keystroke logging, clipboard manipulation, screenshot and/or credential theft, and data exfiltration.

Snake is a huge concern for privacy since it targets an extensive list of applications and services, and supports several protocols to send the stolen data. Furthermore, by selling to other threat actors, Snake developers are trying to gain money in the Malware-as-a-service business. By the way, Snake staging mechanism is the same as other info stealer commercialized threats, such as FormBook and AgentTesla. Showing how easy it is for malware developers to create new threats by code reuse.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Tarijon de Almeida
Malware Analyst
Appgate

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>
O: +55 11 97467 9549

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20211101/99dc66e9/attachment.htm>


More information about the MART mailing list