Researchers Discover Key-Stealing SSH-Snake Malware—Goes Undetected, Spreads Infections to New Systems

Sysdig describes the threat as a "self-modifying worm."

A recent discovery by the Sysdig Threat Research Team (TRT) has unveiled a concerning development in the realm of cybersecurity: SSH-Snake. This open-source network mapping tool, described as a "self-modifying worm," poses a huge threat to the integrity of network infrastructure by stealthily seeking out private keys and moving laterally across victim systems.

Distinct Characteristics of SSH-Snake

Unlike conventional SSH worms, SSH-Snake operates with a level of sophistication that sets it apart from scripted attacks. It employs a unique approach to traverse networks, evading detection by avoiding typical attack patterns associated with such exploits.

How SSH-Snake Operates

SSH-Snake, released on January 4, 2024, functions as a bash shell script, autonomously scouring compromised systems for SSH credentials. Once obtained, these credentials are leveraged to propagate the worm throughout the network, establishing connections between interconnected hosts via SSH.

"By avoiding the easily detectable patterns associated with scripted attacks, this new tool provides greater stealth, flexibility, configurability and more comprehensive credential discovery than typical SSH worms, therefore being more efficient and successful," Sysdig says.

Adaptive Capabilities of this New Worm

A notable feature of SSH-Snake is its ability to adapt and optimize its code during execution, reducing its footprint and enhancing its stealth capabilities. By eliminating unnecessary elements such as comments and whitespace, SSH-Snake ensures efficient operation while minimizing the risk of detection.

Exploring Private Key Discovery Methods

SSH-Snake employs a range of techniques to uncover private keys on compromised systems, as Bleeping Computer writes.

  • File and Directory Search: The worm scans common directories and files where SSH keys are typically stored, including .ssh directories and configuration files.
  • Shell History Analysis: By examining shell history files, SSH-Snake identifies commands related to SSH operations, providing insights into potential key usage.
  • Parsing Bash History: Utilizing the 'find_from_bash_history' feature, SSH-Snake parses bash history files to uncover direct references to private keys and associated credentials.
  • System Log Examination: SSH-Snake scrutinizes system logs and network cache data to gather information that may indirectly lead to the discovery of private keys.

Operational Status and Impact

Sysdig's analysts have confirmed SSH-Snake's operational status following the discovery of a command and control (C2) server utilized by its operators. The data harvested by SSH-Snake includes credentials and victim IP addresses, indicating active exploitation of known vulnerabilities, such as those found in Confluence.

With SSH-Snake targeting a widely used and secure connection method prevalent in corporate environments, the cybersecurity industry faces new challenges.

SSH-Snake is aggressively viewed by the experts since it's been abused multiple times. It's been used on around 100 entities.

Meanwhile, Schneider Electric reportedly suffered from a ransomware attack. The Cactus ransomware gang was behind the incident after hackers claimed that they stole 1.5 TB of data. If the ransom demand will not be paid, they threatened to leak the confidential data online.


ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Tags:Malware
Join the Discussion
Real Time Analytics