Introduction
Earlier this month CISA, FBI, NCSC (National Cyber Security Centre) and ASD (Australian Signals Directorate) released a joint advisory[1] outlining ‘Snake’ a backdoor malware family that has been effectively employed by the FSB over the last 20 years. This malware has been used as part of Russia’s cyber operations in targeted attacks across the globe.
The malware implements various techniques to obfuscate its activity and prevent detection on a victim endpoint, including masquerading one of its components as ‘WerFault.exe, it loads a driver to hide much of its operation from the OS and employs unique characteristics per deployment to minimize the effectiveness of collaborative detections. In addition to these characteristics, Snake also uses a non-standard network protocol and encryption method.
The joint advisory, available here, here or here, contains technical details on the malware features. The purpose of this article is to identify how FortiEDR would detect and mitigate the installation of a Snake loader and provide threat hunting queries that could be used to identify indicators provided in the joint advisory. Whilst a new sample of Snake malware could not be sourced, this article uses a publicly available sample from several years ago that employs similar techniques as those outlined in the Joint advisory. In addition to the analysis of the above described sample, additional FortiEDR Threat Hunting queries have been developed to detect new indicators outlined in the Joint advisory.
Analysis
The sample analyzed as part of this article is a sample from VirusTotal first observed in 2018 (https://www.virustotal.com/gui/file/fc68026b83392aa227e9adf9c71289cb51ba03427f6de67a73ae872e19ef6ff9...). This older sample was identified by Florian Roth (Nextron Systems)[2] using a YARA rule based on a volatility plugin generated by Matt Suiche (Magnet Security)[3] using information provided in the joint advisory. Whilst this sample is likely an older version of Snake, many of the techniques it implements match those described by the joint advisory. The following diagram outlines behavior associated with execution of the analyzed sample.
As outlined above, the analyzed sample performs multiple function with the end goal of loading the main Snake implant in the form of a driver, executed as a service. Related FortiEDR events and Threat Hunting telemetry is shown below. On execution the sample (out2.exe) is flagged as malicious and generates a ‘File Write Attempt’ event as it attempts to write the file ‘C:\Windows\{<GUID>}\_vbxinsi.exe’. FortiEDR incorporates FortiGuard Threat Intelligence as part of its pre-execution policy which allows for the detection of executables with known hashes such as this. An example of the FortiEDR event generated by this behavior is shown below in Figure 2. This behavior is blocked by FortiEDR when in ‘Prevention’ mode.
Figure 2. FortiEDR ‘File Write Attempt’ event triggered by the ‘Malicious File Detected’ rule in the Execution Prevention security policy as the Snake loader writes a PNG Dropper executable.
The file written (‘_vbxinsi.exe’) is a copy of well-known Turla malware dubbed ‘PNG_dropper’. This malware masquerades as a legitimate JPEG Viewer software and its operation is outlined in detail in this blog post from VMWare[4] and is outside the scope of this article. The main executable (out2.exe) then executes the PNG_dropper malware which decodes a number of internal resources and executes the next stage of the infection. The decoded second stage code from within the PNG_dropper malware is loaded back into the main executable process so subsequent behavior maps back to the original ‘out2.exe’ process. This second stage code creates a number of files in the victim temp directory (\Users\<victim_user>\AppData\Local\Temp). These files are named to masquerade loading of a vulnerable VirtualBox driver as legitimate activity. These files themselves are not malicious but their creation is visible through FortiEDR Threat Hunting data as shown below in Figure 3.
Figure 3. FortiEDR File Creation events related to execution of the Snake loader. Note the creation of the ‘vboxdrv.sys’ and ‘vboxdrv.inf’ files in the temp directory.
Once these files have been written the main Snake loader process (out2.exe) calls the InstallHinfSection function in the SETUPAPI.dll dll via rundll32. The previously written ‘vboxdrv.inf’ file is provided as an argument. This inf file contains the setup information or instructions on how the OS should install a driver[5]. This function installs the vulnerable VirtualBox driver (vboxdrv.sys) which in turn creates a copy of the vulnerable driver (SET7150.TMP) in the standard Windows driver directory(C:\Windows\system32\drivers). FortiEDR Threat Hunting process creation events associated with this behavior can be observed in Figure 4 below and subsequent file creation event above in Figure 3.
Figure 4. FortiEDR Threat Hunting events highlight ‘Process Creation’ events related to Snake loader behavior.
This VirtualBox driver is required to bypass Windows PatchGuard which only allows signed drivers to be loaded. Exploitation of the vulnerable driver allows kernel memory to be modified directly allowing these protections to be bypassed. Despite it being possible to bypass these protections they still provide value as these vulnerable signed drivers become a ‘bottleneck’ for detection. Figure 5 below shows a simple Threat Hunting query that can be used to detect loading of this vulnerable driver. Note that this driver is flagged as a PUP (Potentially Unwanted Program).
Figure 5. FortiEDR Threat Hunting telemetry identifies a Driver Loaded event related to loading of the vulnerable VirtualBox driver employed as part of the analyzed Snake infection.
Once loaded the main Snake loader writes the final Snake driver payload to disk at ‘C:\Windows\{<GUID>}\rpcep.sys’. This driver is a known unsigned driver (https://www.virustotal.com/gui/file/eb498494c6b8377b0c72cce8023882bcd56c9e26b49ad15dc512d8446ae12e87...) and the file creation event is detected in FortiEDR Threat Hunting telemetry as seen in Figure 3. Once written, the main Snake loader creates a new service for this final Snake driver payload. The creation of this service can be observed through the associated registry activity available in FortiEDR Threat Hunting events as shown below in Figure 6.
Figure 6. FortiEDR Threat Hunting telemetry related to the creation of the ‘RpcEndPoint’ service that executes the final Snake payload driver (rpcep.sys).
From the above telemetry we can see the service was created with the name ‘RpcEndPoint’, the ImagePath of ‘C:\Windows\{<GUID>}\rpcep.sys’ and the DeleteFlag set to 1. The naming convention is likely chosen to make the service appear benign as RPC (Remote Procedure Calls) are a legitimate part of the OS’s operation. The DeleteFlag set to one indicates that the service will be deleted once executed, this is likely to hide evidence of the driver once it has been successfully loaded.
This service creation behavior is detected as a ‘Service Access’ attempt by FortiEDR’s Execution Prevention security policy. An example of this event is shown below in Figure 7. The FortiEDR event graph highlights the relationship between the main Snake loader (out2.exe) and the PNG_loader (_vbxinsi.exe). We can see the main Snake loader has accessed the memory space of the child PNG_loader process which matches the expected behavior as the PNG_loader process contains the encoded second stage loader that interacts with the final Snake service (RpcEndPoint).
Figure 7. FortiEDR security event related to the creation of the 'RpcEndPoint' service that will execute the final Snake driver payload.
Further analysis of the Snake driver dropped above (rpcep.sys) was not pursued given the age of the sample and the complexity of the C2 emulation vs threat intelligence gain. For a more in-depth analysis and breakdown of the architecture of more recent samples of Snake malware refer to the Joint advisory.
Conclusion
As highlighted above FortiEDR is able to detect and mitigate the key behaviors associated with the loading of a previously observed Snake sample. Many of these techniques have been incorporated in more recent Snake intrusions but more recent samples are not readily available for testing. Threat Hunting queries derived from high confidence indicators in the Joint advisory are included in the section below as are queries derived from behavior observed from during analysis of the above sample. These queries should be adapted based on new indicators as they become available and tuned for a specific environment before being operationally deployed.
Threat Hunting
The following query will identify FortiEDR Threat Hunting ‘Driver Loaded’ events related to the loading of the vulnerable VirtualBox driver employed in the analyzed Snake sample. Note that this driver is exploited by various other threat actors and whilst detection likely indicates an incident that should be investigated, it may not be Snake. Also, note that the use of this TTP (PatchGuard evasion) was included in older versions of Snake loader and may not be present in new versions or a separate driver may be employed.
Type:"Driver Loaded" AND Target.Executable.File.SHA1:"7C1B25518DEE1E30B5A6EAA1EA8E4A3780C24D0C"
The following query will identify FortiEDR Threat Hunting events related to the creation of an anomalous service called ‘WerFaultSvc’ matching indictors from the Joint Advisory. Note that this behavior was not observed in the above analysis.
Type:"Key Created" AND Registry.Path: ("HKLM\\SYSTEM\\ControlSet001\\Services\\*") AND Registry.Path: ("WerFaultSvc")
The following query will identify FortiEDR Threat Hunting events related to the creation of an anomalous service called ‘RPCEndpoint’ which matches behavior observed in analysis of the above sample. Note that reporting here and here, as well as the Joint Advisory shows that the service name associated with a Snake infection changes with different Turla campaigns. Organizations should look to implement and regularly tune broader queries around anomalous service creation events to continue to be effective against threats like Snake.
Type:"Key Created" AND Registry.Path: ("HKLM\\SYSTEM\\ControlSet001\\Services\\*") AND Registry.Path: ("RpcEndPoint")
The following query will identify FortiEDR Threat Hunting events related to the creation and access of the Windows registry blob used to store components of the Snake implant (HKLM\\SOFTWARE\Classes\.wav\OpenWithProgIds). Note that the presence of this registry key itself is not anomalous but its content being a large encrypted blob is and should be investigated. This behavior was not observed in the above analysis and was adapted from the Joint advisory.
(Type:"Value Read" OR Type:"Value Created" OR Type:"Key Created") AND Registry.Path: ("HKCU\\SOFTWARE\\Classes\\.wav\\OpenWithProgids")
The following query will identify FortiEDR Threat Hunting events related to the creation and writing of the ‘comadmin.dat’ file identified in the Joint advisory. This file is reported to store the final Snake driver and loader dll in newer iterations of Snake. Note that this behavior was not observed in the above analysis and has been adapted from the advisory.
(Type:"File Create" OR Type:"File Write") AND Target.File.Path:"Windows\\System32\\Com" AND Target.File.Name: ("comadmin.dat")
The following query will identify FortiEDR Threat Hunting events related to the creation and writing of the ‘queue log’ file identified in the Joint advisory. This file is reported to act as an intermediate file between components of Snake in newer iterations of the malware. Note that this behavior was not observed in the above analysis and has been adapted from the advisory. There may be false positives associated with detected crmlog file operations at this path. If detected evidence of other indicators should be identified to validate a Snake infection.
(Type:"File Create" OR Type:"File Write") AND Target.File.Path:"Windows\\Registration" AND Target.File.Ext:"crmlog"
The following query will identify FortiEDR Threat Hunting events related to the creation, writing and access of the Windows registry store in the ‘HKLM\\SECURITY\Policy\Secrets\n’ key. This key is used for storing an encryption key for Snake C2. Note that this behavior was not observed in the above analysis and has been adapted from the advisory.
(Type:"Value Read" OR Type:"Value Created" OR Type:"Key Created") AND Registry.Path: ("HKLM\\SECURITY\\Policy\\Secrets\\n")
The following query will identify FortiEDR Threat Hunting ‘Process Creation’ events for files matching known names (‘jpinst.exe’ and ‘jpsetup.exe’) of Snake loaders. Note it is almost certain that Turla will change the executable name in future Snake campaigns if it continues to be employed so this query will need to be updated as new threat intelligence becomes available. This behavior was not observed in the above analysis and was adapted from the Joint advisory.
Type:"Process Creation" AND Target.Process.Name:("jpinst.exe" OR "jpsetup.exe")
MITRE ATT&CK
TA0002 – Execution
|
Technique ID |
Technique Description |
Observed Activity |
|
T1569.002 |
System Services: Service Execution |
The Snake sample analyzed in this article used service execution to load the final Snake driver payload. This service was called ‘RpcEndPoint’ and was created by services.exe. The ImagePath for the service was ‘C:\Windows\{<Random_GUID>}\rpcep.sys’. |
TA0004 – Privilege Escalation
|
Technique ID |
Technique Description |
Observed Activity |
|
T1548.002 |
Event Triggered Execution: Installer Packages |
The Snake sample analyzed in this article uses a INF file with the SETUPAPI.dll executed through rundll32.exe to load a vulnerable version of VirtualBox driver (vboxdrv.exe) as a filter driver. The rundll32 process is called directly by the main loader process (out2.exe in our analysis) and the inf file is written to the ‘\Users\<victim_user>\AppData\Local\Temp’ directory. |
TA0005 – Defense Evasion
|
Technique ID |
Technique Description |
Observed Activity |
|
T1211 |
Exploitation for Defense Evasion |
Snake employs a vulnerable version of VirtualBox driver ‘vboxdrv.sys’ which is used for PatchGuard bypass. Windows requires that all drivers it loads are signed with a valid signature and are present on disk. The driver used by the Snake sample analyzed in this article was written to ‘\Users\<victim_user>\AppData\Local\Temp’. |
|
Technique ID |
Technique Description |
Observed Activity |
|
T1036.005 |
Masquerading: Match Legitimate Name or Location |
The analyzed Snake loader uses PNG_loader which masquerades as a legitimate image modification tool called JPEG Viewer. IT copies the icon and much of the internal code of the legitimate tool. The second stage loader drops and executes a inf file called ‘vboxdrv.inf’ designed to look like a legitimate component of a VirtualBox install. The final Snake driver is called rpcep.sys and is loaded as a service called ‘RpcEndPoint’, likely named to look benign amongst other RPC related services. |
|
Technique ID |
Technique Description |
Observed Activity |
|
T1070.004 |
Indicator Removal: File Deletion |
Following successful execution of the final Snake driver payload (rpcep.sys) as a service, the driver is deleted. This is likely to prevent the driver file from being collected and analyzed. |
|
Technique ID |
Technique Description |
Observed Activity |
|
T1027.009 |
Obfuscated Files or Information: Embedded Payloads |
The analyzed Snake loader includes multiple stages of embedded payloads. The first stage drops a version of PNG_loader which extracts a second stage payload which is then executed in the context of the main process. This second stage contains an embedded VirtualBox driver, an inf file with information on loading the vulnerable driver and the final Snake driver payload which is eventually written to disk. The second stage payload is embedded within multiple PNG resources attached to the PNG_loader malware as described in previous reporting[6]. |
Note. Additional MITRE ATT&CK techniques have been identified in the Joint Advisory but these have not been directly observed during the above analysis and lack actionable observables. Because of this, these have not been included in this article.
Atomic IOCs
|
Indicator Description |
Indicator |
Indicator Type |
Associated Tactic |
Notes |
First Observed |
|
Main Snake Loader Executable |
44129dfc41cb2b953398711ebceec0d15c3d6a6e |
SHA1 Hash |
Installation |
This is the main Snake executable sample analyzed in this article. Note the first observed date. |
2018-02-28 |
|
Vulnerable VirtualBox driver |
7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c |
SHA1 Hash |
Installation |
This vulnerable VirtualBox driver is dropped and exploited by Snake sample as a PatchGuard bypass |
2017-09-15 |
|
PNG Dropper executable |
80b9010e312b040f77bbe604320645a4fa3e0ad8 |
SHA1 Hash |
Installation |
Turla PNG Dropper malware dropped by main loader |
2017-09-15 |
|
Snake driver |
cdd6d00f809eae058b3c84340754015f942814b5 |
SHA1 Hash |
Command and Control |
Main Snake driver loaded through exploitation of VirtualBox driver |
2023-04-16 |
[1] https://www.cisa.gov/sites/default/files/2023-05/aa23-129a_snake_malware_2.pdf
[2] https://twitter.com/cyb3rops/status/1657343102514782208
[3] https://twitter.com/msuiche/status/1656082701223620608
[4] https://blogs.vmware.com/security/2017/08/threat-analysis-carbon-black-threat-research-dissects-png-...
[5] https://learn.microsoft.com/en-us/windows-hardware/drivers/install/overview-of-inf-files
[6] https://blogs.vmware.com/security/2017/08/threat-analysis-carbon-black-threat-research-dissects-png-...
