Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

‘Snake’ Cyber-Espionage Malware Slithered Around Web for Years

Security researchers have dug deeper into the Snake malware found to be involved in cyber-attacks against targets in the Ukraine.

Security researchers have dug deeper into the Snake malware found to be involved in cyber-attacks against targets in the Ukraine.

According to new research from BAE Systems, the cyber-espionage toolkit has been in development since at least 2005, and has been used in at least 32 attacks against targets in the Ukraine since 2010. Other targets hit by Snake have been located in countries such as Lithuania, Great Britain and to a lesser extent the United States.

“Back in 2008 an unknown malicious file was discovered and auto-classified as “Agent.BTZ”, meaning it was registered as unknown malicious sample #1,898 in an anti-virus classification system,” according to the BAE report (PDF). “It wasn’t given an actual name, only a generic one. Meanwhile, internally the authors behind this malware were using their own naming systems – with specific titles for their file components and projects such as “snake”, “uroburos”, “sengoku”, and “snark“ used to denote variants of their framework.”

“A recent report from German security company G Data (Software) described a sample from the “uroburos” variant of this framework,” the company continued. “Their report revealed the complex nature of this malware family, and showed that the operation behind “Agent.BTZ” has continued.”

Reverse engineering of recent samples shows the malware has become more sophisticated than it was originally. BAE has identified two distinct variants. Generally, the malware uses rootkit functionality to maintain a presence on a system, and installs a backdoor on infected machines to exfiltrate data.

“From a technical standpoint, Snake demonstrates two very different approaches to the task of building a cyber-espionage toolkit,” the company continued. “One approach is to delegate the network communication engine to usemode code, backed up by a usermode rootkit. Another approach is to carry out all of the communications from the kernel-mode driver, which is a very challenging task by itself.”

“The complexity of the usermode-centric approach is on par with Rustock rootkit – it uses similar techniques,” adding that the architecture of Snake is designed to grant it as much flexibility as possible.

The report comes as the political tension regarding Russia’s entry into the Ukraine continues. Hacktivists have already gotten involved by defacing Russian news sites and launching other attacks. Though BAE does not name Russia as the culprit behind the attacks, security firm G Data Software said the malware has “Russian roots.”

Advertisement. Scroll to continue reading.

“Previously, we have claimed that Uroburos is a highly complex and very sophisticated malware, programmed by skilled people,” G Data Software noted in a blog post.

According to BAE Systems, the malware is the work of a technically sophisticated and well organized group, but it is not possible to say exactly who is behind the campaign or who might be paying them despite evidence linking these tools to previous breaches connected to Russian threat actors.

“What this research once more demonstrates, is how organized and well-funded adversaries are using highly sophisticated tools and techniques to target legitimate organizations on a massive scale,” said Martin Sutherland, managing director of BAE Systems Applied Intelligence, in a statement. “Although there has been some awareness of the Snake malware for some years, until now the full scale of its capabilities could not be revealed, and the threat it presents is clearly something that needs to be taken much more seriously.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Cybercrime

On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...