Snake
April 3, 2025 ยท View on GitHub
| ID | X0047 |
| Type | Information Stealer, Keylogger |
| Aliases | Uroburos |
| Platforms | Windows |
| Year | 2004 |
| Associated ATT&CK Software | Uroburos |
Snake
The Snake malware is an information-stealing malware that is implemented in the .NET programming language. It has been in use since 2004 and is one of the most sophisticated cyber espionage tools designed and used by Russia's FSB for long-term intelligence collection. [1]
ATT&CK Techniques
See ATT&CK: Uroburos
Enhanced ATT&CK Techniques
| Name | Use |
|---|---|
| Anti-Static Analysis::Software Packing (F0001) | The Snake malware is distributed in a packed format [1] |
| Anti-Static Analysis::Software Packing::Confuser (F0001.009) | Some analyzed Snake samples have been packed with Confuser [2] |
| Defense Evasion::Self-Deletion (F0007) | Snake can delete itself to prevent detection. [1] |
| Discovery::System Information Discovery (E1082) | Snake collects information about the host on which it is running and its probable geographic location. [1] |
| Collection::Keylogging::Application Hook (F0002.001) | Snake uses SetWindowsHookExA to monitor for and log keystrokes. [1] |
| Collection::Screen Capture (E1113) | Snake captures screenshots. [1] |
MBC Behaviors
| Name | Use |
|---|---|
| Discovery::SMTP Connection Discovery (B0014) | Snake attempts to login to an attacker controlled SMTP server before sending information. [1] |
| Data::Decode Data::Base64 (C0053.001) | Snake decodes information stored in base64 during the unpacking process observed in [1] |
| Cryptography::Decrypt Data::3DES (C0031.005) | Snake decrypts a .NET assembly encrypted with 3DES during the unpacking process observed in [1] |
| Cryptography::Decrypt Data::AES (C0031.001) | Snake decrypts credentials stored in web browsers using AES. [1] |
| File System::Copy File (C0045) | Snake copies its executable to another location while establishing persistence. [1] |
| File System::Create File (C0016) | Snake creates a scheduled task configuration file [1] |
| File System::Delete File (C0047) | Snake can delete image files created when screenshots are captured. [1] |
| Cryptography::Crypto Library::API Call (C0059.001) | Snake uses the Network Security Services library to decrypt some credentials stored in browsers. [1] |
References
[1] https://www.cybereason.com/blog/research/threat-analysis-report-snake-infostealer-malware
[2] https://threatresearch.ext.hp.com/the-many-skins-of-snake-keylogger/