One of the most popular trojan malware that steals passwords called ‘Snake’ is the most used across the world. Cyber threat actors are constantly using this malware since the developers are selling it for only $25.
A researcher discovered that malware is written in [.]Net and using the same staging function as Agent Tesla and Formbook.
The malware contains several kinds of venoms
Snake malware’s increasing amount of deployment can attribute to its developer’s decision on selling this malware for a nominal price of $25.
Moreover, this malware is primarily deployed for phishing campaigns. Victims can be infected by Snake malware if they accidentally installed it via email attachments or through drop websites reached by clicking the email URL.
Suppose Snake malware is successfully installed on the victim’s computer. In that case, it can gather critical credentials from over 50 well-known applications, including email clients, IM platforms, and web browsers.
Snake targets famous programs such as Discord, Pidgin, Thunderbird, Outlook, Chrome, Firefox, Opera, and many more. The snake malware also contains clipboard data theft, screenshot capturing, and keystroke logging, which are automatically uploaded back to the malicious threat actor.
In addition, Snake can also steal memory space info, date-time info, IP addresses, geolocation, and more.
Recent related research has also shown that these threat actors can use the geolocation data to prohibit installation depending on the victim’s territory. The Snake malware is an all-purpose info stealer malware since it costs a small amount of money and, at the same time, is successful at hiding from anti-virus software.
Snake malware is an expert in slithering away from any form of defence
The Snake usually avoids detection by disabling AV defences through killing the affiliated processes or maiming network traffic analysers. Snake also includes itself in the exclusion master list of Windows Defenders, which allows it to deploy PowerShell commands with ease.
In addition, this malware adds a scheduled task and edits a registry key to perform when a victim logs in to Windows to establish its persistence. It is notable that Snake malware provides its operators with the ability to pick what function will they activate on the malware during the first stages of their threat campaign.
In conclusion, Snake uses an FTP and SMTP server connection or an HTTP post on the Telegram endpoint to exfiltrate data from the victim’s devices.
