How to detect the most advanced Russian malware “Snake” on your network

The Federal Bureau of Investigation (FBI) announced Tuesday that it had successfully disabled a network of compromised computers that Russian agents had been using for years to steal confidential information from at least 50 countries, including the governments of NATO members. The move appears to be a blow to Russia’s internal intelligence arm, the FSB, which is said to have used the sophisticated hacking tool to penetrate American and Western diplomatic and military institutions for more than two decades. The action was taken by the US Department of Homeland Security. It is the latest effort by the Department of Justice to crack down on criminal organizations and foreign wiretaps using FBI technologies that have been specifically designed for that purpose.

According to US authorities, the Federal Bureau of Investigation (FBI) used a court order on Monday to prevent the Russian government from accessing the computer network in the United States that hackers were using to transport the stolen material around the world and back to Russia. A senior FBI official said in a conference call with reporters Tuesday that it would be “difficult or unsustainable” for the FSB to successfully use the hacking tool again due to the FBI operation and public warnings issued by the United States about the hacking tool. piracy.

For example, FSB agents used the hacking tool to “access and extract sensitive international relations documents, as well as other diplomatic communications” from a NATO member not named in the notice published Tuesday by the United States and Five Eyes. .

Experts are almost unanimous in their belief that the Russian hacking organization known as Turla, targeted by the FBI, is one of the most elite cyber-espionage teams in the Russian intelligence services. Both a major security breach that occurred in US military networks in the mid-1990s and an attack that occurred at US Central Command in 2008 have been linked to tools developed by Turla.

Snake was dubbed “the FSB’s most sophisticated long-term cyber-espionage malware implant,” allowing its users to remotely install malware on compromised devices, steal private documents and information (such as authentication credentials), maintain persistence, and hide your malicious activities by using this “peer-to-peer covert network”.

The Five Eyes nations’ cybersecurity and intelligence agencies have released a unified alert that includes information that could help defenders locate and remove Snake malware present on their networks.

Based on evidence shown in court documents, the Federal Bureau of Investigation (FBI) acquired the ability to decipher and decode Snake’s communications by conducting a study of Snake malware and the Snake network. The Federal Bureau of Investigation (FBI) developed a tool known as PERSEUS using the knowledge it gained from monitoring the Snake network and analyzing Snake malware. This tool “establishes communication sessions with the Snake malware implant on a particular computer and issues commands that cause the Snake implant to disable itself without affecting the host computer or legitimate applications on the computer.”

While decrypting network traffic between US and NATO devices infiltrated by the Snake malware, the FBI discovered that Turla operators exploited the implant in an effort to acquire what appeared to be classified United Nations documents and the NATO. The search warrant that the FBI was able to obtain allowed the agency to access the infected devices, replace the malware without affecting authorized programs and data, and shut down the malware that was operating on the hacked systems.

The Federal Bureau of Investigation (FBI) now tells all owners or operators of remotely accessed computers to remove Snake malware and warns them that they may need to remove tools or Additional dangerous software planted by attackers, such as keyloggers that Turla often installs on affected systems as well. This notification is sent to all owners or operators of remotely accessed computers.

He following plugin for the volatility memory analysis framework will search all processes on the machine for the user-mode component of Snake that has been injected into a process. If discovered, the plugin will display both the injected process and the virtual memory location where the Snake user-mode component is loaded. If it is not found, the plugin will do nothing.

He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He has also worked for security companies such as Kaspersky Lab. His daily work includes investigating new malware and cybersecurity incidents. He also has a deep level of knowledge in mobile security and mobile vulnerabilities.

Send news tips to [email protected] or www.instagram.com/iicsorg/

You can also find us on Telegram www.t.me/noticiasciberseguridad