Security researchers have dug deeper into the Snake malware found to be involved in cyber-attacks against targets in the Ukraine.
According to new research from BAE Systems, the cyber-espionage toolkit has been in development since at least 2005, and has been used in at least 32 attacks against targets in the Ukraine since 2010. Other targets hit by Snake have been located in countries such as Lithuania, Great Britain and to a lesser extent the United States.
“Back in 2008 an unknown malicious file was discovered and auto-classified as “Agent.BTZ”, meaning it was registered as unknown malicious sample #1,898 in an anti-virus classification system,” according to the BAE report (PDF). “It wasn’t given an actual name, only a generic one. Meanwhile, internally the authors behind this malware were using their own naming systems – with specific titles for their file components and projects such as “snake”, “uroburos”, “sengoku”, and “snark“ used to denote variants of their framework.”
“A recent report from German security company G Data (Software) described a sample from the “uroburos” variant of this framework,” the company continued. “Their report revealed the complex nature of this malware family, and showed that the operation behind “Agent.BTZ” has continued.”
Reverse engineering of recent samples shows the malware has become more sophisticated than it was originally. BAE has identified two distinct variants. Generally, the malware uses rootkit functionality to maintain a presence on a system, and installs a backdoor on infected machines to exfiltrate data.
“From a technical standpoint, Snake demonstrates two very different approaches to the task of building a cyber-espionage toolkit,” the company continued. “One approach is to delegate the network communication engine to usemode code, backed up by a usermode rootkit. Another approach is to carry out all of the communications from the kernel-mode driver, which is a very challenging task by itself.”
“The complexity of the usermode-centric approach is on par with Rustock rootkit – it uses similar techniques,” adding that the architecture of Snake is designed to grant it as much flexibility as possible.
The report comes as the political tension regarding Russia’s entry into the Ukraine continues. Hacktivists have already gotten involved by defacing Russian news sites and launching other attacks. Though BAE does not name Russia as the culprit behind the attacks, security firm G Data Software said the malware has “Russian roots.”
“Previously, we have claimed that Uroburos is a highly complex and very sophisticated malware, programmed by skilled people,” G Data Software noted in a blog post.
According to BAE Systems, the malware is the work of a technically sophisticated and well organized group, but it is not possible to say exactly who is behind the campaign or who might be paying them despite evidence linking these tools to previous breaches connected to Russian threat actors.
“What this research once more demonstrates, is how organized and well-funded adversaries are using highly sophisticated tools and techniques to target legitimate organizations on a massive scale,” said Martin Sutherland, managing director of BAE Systems Applied Intelligence, in a statement. “Although there has been some awareness of the Snake malware for some years, until now the full scale of its capabilities could not be revealed, and the threat it presents is clearly something that needs to be taken much more seriously.”