SSH-Snake shows a new level of infection in corporate networks.
Specialists of the information security company Sysdig discovered a new malicious tool called SSH-Snake, which is used to search for private keys and move unnoticed through the victim's infrastructure, which makes it much more dangerous than traditional viruses that use SSH.
SSH-Snake, described as a "self-modifying worm", differs from regular SSH worms in that it avoids common behavior patterns associated with scripted attacks, thus providing greater stealth. The virus actively searches for private keys in various places, including shell command history files, and uses them to spread to new systems after network mapping.
SSH-Snake is publicly available as a tool for automated network traversal based on SSH. However, researchers from Sysdig emphasize that this tool has improved the concept of lateral movement (Lateral Movement) due to a more thorough search for private keys.
SSH-Snake, released on January 4, 2024, is a bash shell script whose task is to offline search for SSH credentials on an infected system and use them for distribution. A distinctive feature of SSH-Snake is its ability to self-modify and reduce its size at the first launch by removing comments, unnecessary functions and spaces from its code.
The tool is versatile and can be customized for specific operational needs, including strategies for finding private keys and identifying their potential use. SSH-Snake uses various direct and indirect methods to detect private keys on compromised systems.
Sysdig analysts confirmed the operational status of SSH-Snake after detecting the Command and Control (C2) server used by operators to store collected data, including credentials, IP addresses, and victim history. These data indicate the active use of known Confluence vulnerabilities (and possibly others) for initial access, which leads to the deployment of the virus on endpoints.
According to the researchers, the tool was used against about 100 victims. Sysdig considers SSH-Snake to be an "evolutionary step" in the field of malware, as it targets a secure connection method widely used in corporate environments.
Specialists of the information security company Sysdig discovered a new malicious tool called SSH-Snake, which is used to search for private keys and move unnoticed through the victim's infrastructure, which makes it much more dangerous than traditional viruses that use SSH.
SSH-Snake, described as a "self-modifying worm", differs from regular SSH worms in that it avoids common behavior patterns associated with scripted attacks, thus providing greater stealth. The virus actively searches for private keys in various places, including shell command history files, and uses them to spread to new systems after network mapping.
SSH-Snake is publicly available as a tool for automated network traversal based on SSH. However, researchers from Sysdig emphasize that this tool has improved the concept of lateral movement (Lateral Movement) due to a more thorough search for private keys.
SSH-Snake, released on January 4, 2024, is a bash shell script whose task is to offline search for SSH credentials on an infected system and use them for distribution. A distinctive feature of SSH-Snake is its ability to self-modify and reduce its size at the first launch by removing comments, unnecessary functions and spaces from its code.
The tool is versatile and can be customized for specific operational needs, including strategies for finding private keys and identifying their potential use. SSH-Snake uses various direct and indirect methods to detect private keys on compromised systems.
Sysdig analysts confirmed the operational status of SSH-Snake after detecting the Command and Control (C2) server used by operators to store collected data, including credentials, IP addresses, and victim history. These data indicate the active use of known Confluence vulnerabilities (and possibly others) for initial access, which leads to the deployment of the virus on endpoints.
According to the researchers, the tool was used against about 100 victims. Sysdig considers SSH-Snake to be an "evolutionary step" in the field of malware, as it targets a secure connection method widely used in corporate environments.
