Cybercriminals are flooding to use the Snake password-stealing trojan, making it one of the popular malware families used in attacks. Written in .NET and using the same staging mechanism as FormBook and Agent Tesla,

Cybercriminals currently sell Snake on dark web forums for as low as $25,. Mainly deployed in phishing campaigns, Snake installed via malicious email attachments or through drops sites reached by clicking on email links.

Advertisements

Snake is capable of stealing credentials from over 50 apps, including email clients, web browsers, and IM platforms.

Some of the more popular programs targeted by Snake include:

  • Discord
  • Pidgin
  • FileZilla
  • Thunderbird
  • Outlook
  • Brave browser
  • Chrome
  • Edge
  • Firefox
  • Opera
  • Vivaldi
  • Yandex

Snake also features keystroke logging, clipboard data theft capabilities and can even capture screenshots of the entire screen, which are then uploaded back to the threat actor. It also include stealing OS data, memory space info, geolocation, date time information, IP addresses.

To avoid detection, Snake disables AV defenses by killing the associated processes and goes as far as to disable network traffic analyzers such as Wireshark, adds itself to the exclusion list of the Windows Defender, allowing it to execute malicious PowerShell commands without being detected. Also it adds a scheduled task and edits a registry key to execute when a user logs in to Windows to establish persistence.

Advertisements

Snake gives its operators the versatility to choose what features they will activate on the malware during the packing stage. Snake uses either an FTP or SMTP server connection or an HTTPS POST on a Telegram endpoint.