Warning: SSH-Snake’s Stealthy Network Invasion

by ·

Cybersecurity specialists at Sysdig have unveiled a new malicious entity dubbed SSH-Snake, designed to stealthily search for private keys and navigate through a victim’s infrastructure, rendering it significantly more perilous than conventional viruses that exploit SSH.

Described as “a self-propagating, self-replicating, file-less script,” SSH-Snake diverges from typical SSH worms by evading common behavioral patterns associated with scripted attacks, thereby ensuring greater concealment. The virus actively searches for private keys in various locations, including shell command history files, and leverages them to proliferate across new systems following network mapping.

SSH-Snake is publicly available as a tool for automated network traversal using SSH. However, Sysdig researchers emphasize that this tool has refined the concept of Lateral Movement by conducting a more meticulous search for private keys.

Released on January 4, 2024, SSH-Snake is a bash shell script tasked with autonomously seeking SSH credentials within an infected system and utilizing them for dissemination. A distinctive feature of SSH-Snake is its ability to self-modify and reduce its size upon initial execution by eliminating comments, redundant functions, and spaces from its code.

The tool is versatile and can be customized to meet specific operational needs, including strategies for searching private keys and identifying their potential use. SSH-Snake employs various direct and indirect methods to detect private keys on compromised systems.

Sysdig analysts have confirmed the operational status of SSH-Snake after identifying a Command and Control (C2) server used by operators to store collected data, including credentials, IP addresses, and victims’ histories. This data indicates active exploitation of known vulnerabilities in Confluence (and possibly others) for initial access, leading to the virus’s deployment at endpoints.

According to the researchers, the tool has been deployed against approximately 100 victims. Sysdig regards SSH-Snake as an “evolutionary step” in the realm of malware, targeting a secure connection method extensively utilized in corporate environments.

Tags: