Virtual Event Today: Supply Chain Security Summit - Register Now

Security Experts:

Connect with us

Hi, what are you looking for?



‘Snake’ Cyber-Espionage Malware Slithered Around Web for Years

Security researchers have dug deeper into the Snake malware found to be involved in cyber-attacks against targets in the Ukraine.

Security researchers have dug deeper into the Snake malware found to be involved in cyber-attacks against targets in the Ukraine.

According to new research from BAE Systems, the cyber-espionage toolkit has been in development since at least 2005, and has been used in at least 32 attacks against targets in the Ukraine since 2010. Other targets hit by Snake have been located in countries such as Lithuania, Great Britain and to a lesser extent the United States.

“Back in 2008 an unknown malicious file was discovered and auto-classified as “Agent.BTZ”, meaning it was registered as unknown malicious sample #1,898 in an anti-virus classification system,” according to the BAE report (PDF). “It wasn’t given an actual name, only a generic one. Meanwhile, internally the authors behind this malware were using their own naming systems – with specific titles for their file components and projects such as “snake”, “uroburos”, “sengoku”, and “snark“ used to denote variants of their framework.”

“A recent report from German security company G Data (Software) described a sample from the “uroburos” variant of this framework,” the company continued. “Their report revealed the complex nature of this malware family, and showed that the operation behind “Agent.BTZ” has continued.”

Reverse engineering of recent samples shows the malware has become more sophisticated than it was originally. BAE has identified two distinct variants. Generally, the malware uses rootkit functionality to maintain a presence on a system, and installs a backdoor on infected machines to exfiltrate data.

“From a technical standpoint, Snake demonstrates two very different approaches to the task of building a cyber-espionage toolkit,” the company continued. “One approach is to delegate the network communication engine to usemode code, backed up by a usermode rootkit. Another approach is to carry out all of the communications from the kernel-mode driver, which is a very challenging task by itself.”

“The complexity of the usermode-centric approach is on par with Rustock rootkit – it uses similar techniques,” adding that the architecture of Snake is designed to grant it as much flexibility as possible.

The report comes as the political tension regarding Russia’s entry into the Ukraine continues. Hacktivists have already gotten involved by defacing Russian news sites and launching other attacks. Though BAE does not name Russia as the culprit behind the attacks, security firm G Data Software said the malware has “Russian roots.”

“Previously, we have claimed that Uroburos is a highly complex and very sophisticated malware, programmed by skilled people,” G Data Software noted in a blog post.

According to BAE Systems, the malware is the work of a technically sophisticated and well organized group, but it is not possible to say exactly who is behind the campaign or who might be paying them despite evidence linking these tools to previous breaches connected to Russian threat actors.

“What this research once more demonstrates, is how organized and well-funded adversaries are using highly sophisticated tools and techniques to target legitimate organizations on a massive scale,” said Martin Sutherland, managing director of BAE Systems Applied Intelligence, in a statement. “Although there has been some awareness of the Snake malware for some years, until now the full scale of its capabilities could not be revealed, and the threat it presents is clearly something that needs to be taken much more seriously.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


A newly identified threat actor tracked as NewsPenguin has been targeting military organizations in Pakistan with sophisticated malware.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...