Full Report
Here’s what to know about the malware with an insatiable appetite for valuable data, so much so that it tops this year's infostealer detection charts
Analysis Summary
# Tool/Technique: SnakeStealer
## Overview
SnakeStealer is a prevalent information-stealing malware that has recently topped infostealer detection charts, succeeding threats like Agent Tesla. It is designed to quietly siphon valuable data, specifically login credentials, financial details, and cryptocurrency information, from compromised systems and exfiltrate it to adversaries. It operates under a Malware-as-a-Service (MaaS) model, facilitating its use by lower-skilled attackers.
## Technical Details
- Type: Malware family (Infostealer)
- Platform: Windows (Implied by details like altering Windows boot configurations and targeting Windows browsers/clients)
- Capabilities: Credential harvesting, surveillance (keystroke logging, screenshots), evasion, establishing persistence, and data exfiltration via multiple channels.
- First Seen: 2019 (Originally marketed as 404 Keylogger or 404 Crypter before rebranding).
## MITRE ATT&CK Mapping
*Note: Since MITRE ATT&CK mappings were not explicitly provided in the text, the mapping is derived based on the documented capabilities.*
- **TA0009 - Collection**
- **T1005 - Data from Local System**
- Capturing saved passwords from browsers, databases, email/chat clients (including Discord), and Wi-Fi network information.
- **T1056 - Input Capture**
- **T1056.001 - Keylogging**
- **T1056.002 - Input Capture: GUI Input Capture** (Implied via screenshot capability)
- **T1003 - OS Credential Dumping** (Implied by credential theft from system stores)
- **TA0005 - Defense Evasion**
- **T1036 - Masquerading** (Implied via camouflage in various file types)
- **T1027 - Obfuscated Files or Information** (Implied by use of password-protected files)
- **T1490 - Inhibit System Recovery** (Implied by persistence mechanism)
- **TA0003 - Persistence**
- **T1547 - Boot or Logon Autostart Execution**
- **T1547.001 - Registry Run Keys / Startup Folder Manipulation** (Implied by "alters Windows boot configurations")
- **TA0010 - Exfiltration**
- **T1041 - Exfiltration Over C2 Channel** (Implied via FTP, HTTP, Email, Telegram)
## Functionality
### Core Capabilities
- **Credential Theft:** Extracts saved passwords from web browsers, databases, email clients (e.g., Outlook), chat clients (specifically Discord), and Wi-Fi network configurations.
- **Data Collection:** Captures clipboard data, logs keystrokes, and takes screenshots across the compromised system.
- **Exfiltration:** Sends stolen data to operators using FTP, HTTP, email, or Telegram bots.
### Advanced Features
- **Evasion:** Includes mechanisms to terminate processes associated with security and malware analysis tools, and checks for the presence of virtual environments to avoid analysis.
- **Persistence:** Modifies configurations related to Windows boot processes to ensure continued access after system restarts.
- **Modularity:** Features are described as modular, allowing attackers to enable or disable specific capabilities based on campaign needs.
- **Delivery Versatility:** Utilizes numerous delivery methods including phishing attachments (disguised in password-protected ZIP, RTF, ISO, or PDF files), and bundling within pirated software or fake applications.
## Indicators of Compromise
- File Hashes: N/A (Not explicitly provided in the text, although a figure shows hashes).
- File Names: N/A (Common names are not specified beyond the general detection name).
- Registry Keys: N/A (Specific keys are not detailed, only the activity of altering boot configurations).
- Network Indicators:
- Exfiltration via FTP, HTTP, email, or Telegram bots (Defanged examples cannot be inferred).
- Early variants used Discord to host payloads.
- Behavioral Indicators:
- Attempting to terminate security/analysis processes.
- Modifying Windows boot settings.
- Accessing stored credentials from common applications.
## Associated Threat Actors
The article suggests its use is widespread due to its MaaS model, making it accessible to many actors. It became a recommended successor to Agent Tesla in certain underground Telegram channels.
## Detection Methods
- **Signature-based detection:** Detected by ESET products primarily as `MSIL/Spy.Agent.AES`.
- **Behavioral detection:** Detection based on activities such as process termination of security tools, virtual environment checks, and attempts to alter boot configurations.
## Mitigation Strategies
- **Attachment/Link Vigilance:** Maintain skepticism towards unsolicited messages, especially attachments and links from unknown senders, verifying legitimacy through secondary channels.
- **Patch Management:** Keep the operating system and all applications updated to remediate known vulnerabilities.
- **Multi-Factor Authentication (MFA):** Enable MFA universally to prevent unauthorized logins even if passwords are stolen.
- **Incident Response:** If compromise is suspected, change all passwords immediately from a clean device, revoke open sessions, and monitor accounts.
- **Security Software:** Deploy reputable security software on all endpoints (desktop and mobile).
## Related Tools/Techniques
- Agent Tesla (Decline in developer support led to SnakeStealer being positioned as its successor)
- Lumma Stealer
- FormBook
- HoudRAT