Skip to content

Instantly share code, notes, and snippets.

@msuiche
Last active May 16, 2024 17:16
Show Gist options
  • Save msuiche/8c8fd278430dda0292b4cfdfc549ca2d to your computer and use it in GitHub Desktop.
Save msuiche/8c8fd278430dda0292b4cfdfc549ca2d to your computer and use it in GitHub Desktop.
/*
Hunting Russian Intelligence “Snake” Malware
The Snake implant is considered the most sophisticated cyber espionage tool designed and used by
Center 16 of Russia’s Federal Security Service (FSB) for long-term intelligence collection on sensitive
targets.
*/
rule Windows_Snake_Malware {
meta:
author = "Matt Suiche (Magnet Forensics)"
description = "Hunting Russian Intelligence Snake Malware"
creation_date = "2023-05-10"
threat_name = "Windows.Malware.Snake"
reference = "https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"
severity = 100
scan_context = "memory"
license = "MIT"
os = "windows"
/* The original search only query those bytes in PAGE_EXECUTE_WRITECOPY VADs */
strings:
$a = { 25 73 23 31 }
$b = { 25 73 23 32 }
$c = { 25 73 23 33 }
$d = { 25 73 23 34 }
$e = { 2e 74 6d 70 }
$f = { 2e 73 61 76 }
$g = { 2e 75 70 64 }
condition:
all of them
}
@Neo23x0
Copy link

Neo23x0 commented May 12, 2023

String $e and $f are duplicates.

code from the volatility plugin:

strings_to_find = [
    b'\x25\x73\x23\x31',
    b'\x25\x73\x23\x32',
    b'\x25\x73\x23\x33',
    b'\x25\x73\x23\x34',
    b'\x2e\x74\x6d\x70', 
    b'\x2e\x73\x61\x76',
    b'\x2e\x75\x70\x64'
]

@msuiche
Copy link
Author

msuiche commented May 13, 2023

I believe we should also be able to add the following condition:

    condition:
        pe.is_pe

Since it checks for the presence of MZ signature, I assume it means the VAD will be a PE file:

    if data.find(b'\x4d\x5a') != 0:
       continue

@msuiche
Copy link
Author

msuiche commented May 13, 2023

Or just “ uint16(0) == 0x5a4d and all of them” seems faster as a check.

@Neo23x0
Copy link

Neo23x0 commented May 13, 2023

I would keep it that way because it aims at in-memory detection.
I don't understand their Volatility plugin good enough and really have no idea why they would search for an "MZ" header value during memory analysis. (maybe it just to get some offsets right or to be able to carve the full PE from memory - idk)

With a magic header and file size check it's definitely faster, but I'm sure it would hinder in-memory detection.

@Neo23x0
Copy link

Neo23x0 commented May 13, 2023

@msuiche
Copy link
Author

msuiche commented May 13, 2023

Let's goooo! This is so old!

Creation Time	2016-07-29 09:20:28 UTC
First Submission	2018-02-28 09:24:26 UTC
Last Submission	2023-05-12 12:20:12 UTC

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment