A joint cybersecurity advisory, released by US and allied government partners on May 9, details the decades-long use of Snake malware by a nation-state for espionage purposes. Snake malware has infected networks across multiple critical infrastructure sectors in the US, including education, business, media, government, finance, critical manufacturing and communications. Outside of the US, infrastructure associated with Snake malware infections has been identified in more than 50 countries.
Although the Snake malware has been exposed publicly — and Federal law enforcement dismantled the networks required to operate it — it still poses a global threat to governmental entities and private organizations given the likelihood that threat actors will upgrade and redevelop it. The Federal Bureau of Investigation (FBI) said the disruption effort, called Operation Medusa, took the malware offline in early May.
Snake malware can record every keystroke a victim makes, a capacity known as keylogging, and send it back to the threat actor’s control center. It can also view and compromise a victim’s internet activity by inserting itself into the data that victim’s computers send.
How Can I Protect Against, Detect and Respond to Snake Malware?
The Motorola Solutions ActiveEye Threat Intelligence team has thoroughly studied Snake malware, as well as research from other security experts to understand the tactics, techniques and procedures it uses. Although the naming scheme for Snake malware is always changing, the process used for deployment appears to remain the same. We have also reviewed the indicators of compromise (IOCs) associated with it, and are using this information to optimize our ActiveEye Managed Detection and Response (MDR) capabilities for our customers.
Here are a few examples of what that entails.
The Snake malware setup executable includes a pair of arguments which serve as instructions for it to decrypt the second stage payload (an executable file). Our MDR services use advanced endpoint detection and response (EDR) technology to flag suspicious file creations and the tactics used during the creation process. Snake maintains persistence by creating an illegitimate service [WerFaultSvc] on the host machine. This service will attempt to access a local machine registry key [HKLM\SOFTWARE\Classes\.wav\OpenWithProgIds].
Once the registry key is accessed, a kernel driver is installed through the help of a .dat file sitting at the full path of [%windows%\system32\Com\comadmin.dat]. The ActiveEye EDR technology can spot his activity as well. Security analysts investigating suspicious activity will likely also implement custom detections on this and the other nearby workstations to trigger alerts on suspicious activity — even if the malware uses typically legitimate applications to spread throughout the network.
Snake malware communicates over common network protocols such as raw TCP and UDP sockets, HTTP, SMTP and DNS. The ActiveEye Network Intrusion Detection (NIDS) component can alert on network activity and communications with Command and Control servers identified in the joint advisory. In addition to keylogging, Snake malware also has the capability to exfiltrate data from the system. ActiveEye NIDS has several different models for detecting exfiltration, even when that traffic is disguised as other more commonly used protocols.
Motorola Solutions ActiveEye Managed Detection and Response Service
The ActiveEye MDR service combines an innovative security platform with an expert security operations center (SOC) team. The service allows any size organization to apply the most advanced cybersecurity technology and experienced team in the moments it matters most.
With ActiveEye MDR, you get:
- Access to our co-managed ActiveEye security platform to optimize analysis and detection of threats across endpoints and networks
- Threat Intelligence team to alert you to threats and threat actor trends, and guide the adoption of appropriate detection methods
- A 24/7 security operations team to quickly investigate anomalous activity and augment your internal security team
- Advanced threat research to proactively search for threats as new tactics and IOCs are discovered
- Incident Response team to guide an assessment in the event your network is compromised
The Public Safety Threat Alliance (PSTA), a public safety-focused information sharing and analysis organization (ISAO) established by Motorola Solutions that is recognized by the Cybersecurity and Infrastructure Security Agency (CISA), immediately shared a copy of the advisory with its members. The PSTA will continue to monitor intelligence reporting for credible threats to public safety organizations. At the time of this post, the PSTA Threat Intelligence team has not observed any reporting of impacted or targeted public safety organizations. However, we urge public safety network defenders to remain vigilant.
The PSTA provides threat intelligence for member public sector organizations at no cost. Register today for more information.