-
-
Save msuiche/8c8fd278430dda0292b4cfdfc549ca2d to your computer and use it in GitHub Desktop.
/* | |
Hunting Russian Intelligence “Snake” Malware | |
The Snake implant is considered the most sophisticated cyber espionage tool designed and used by | |
Center 16 of Russia’s Federal Security Service (FSB) for long-term intelligence collection on sensitive | |
targets. | |
*/ | |
rule Windows_Snake_Malware { | |
meta: | |
author = "Matt Suiche (Magnet Forensics)" | |
description = "Hunting Russian Intelligence Snake Malware" | |
creation_date = "2023-05-10" | |
threat_name = "Windows.Malware.Snake" | |
reference = "https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF" | |
severity = 100 | |
scan_context = "memory" | |
license = "MIT" | |
os = "windows" | |
/* The original search only query those bytes in PAGE_EXECUTE_WRITECOPY VADs */ | |
strings: | |
$a = { 25 73 23 31 } | |
$b = { 25 73 23 32 } | |
$c = { 25 73 23 33 } | |
$d = { 25 73 23 34 } | |
$e = { 2e 74 6d 70 } | |
$f = { 2e 73 61 76 } | |
$g = { 2e 75 70 64 } | |
condition: | |
all of them | |
} |
I believe we should also be able to add the following condition:
condition:
pe.is_pe
Since it checks for the presence of MZ
signature, I assume it means the VAD will be a PE file:
if data.find(b'\x4d\x5a') != 0:
continue
Or just “ uint16(0) == 0x5a4d and all of them” seems faster as a check.
I would keep it that way because it aims at in-memory detection.
I don't understand their Volatility plugin good enough and really have no idea why they would search for an "MZ" header value during memory analysis. (maybe it just to get some offsets right or to be able to carve the full PE from memory - idk)
With a magic header and file size check it's definitely faster, but I'm sure it would hinder in-memory detection.
btw I just noticed a match on VT with your rule :
https://www.virustotal.com/gui/file/fc68026b83392aa227e9adf9c71289cb51ba03427f6de67a73ae872e19ef6ff9/detection
Let's goooo! This is so old!
Creation Time 2016-07-29 09:20:28 UTC
First Submission 2018-02-28 09:24:26 UTC
Last Submission 2023-05-12 12:20:12 UTC
String $e and $f are duplicates.
code from the volatility plugin: