Snake

Snake, also known as EKANS, is a threat actor identified by Dragos in early 2020. The group is known for its ransomware attacks primarily targeting business networks. Snake's malicious activities were initially observed in Windows environments but later ported to Mac, expanding the potential attack surface. This group has been linked to industrial-focused ransomware operations with potential ties to Iran, indicating a potential geopolitical motive behind their cyber activities. Their malware and ransomware variants have caused significant disruptions and financial losses across various sectors. The Snake keylogger is a particularly sophisticated tool used by this threat actor. It is typically delivered via phishing emails that contain malicious Excel documents exploiting known vulnerabilities. Once opened, these documents download an HTA file which then leverages multiple language scripts, such as JavaScript, VBScript, and PowerShell, to download the Snake Keylogger’s Loader module. This keylogger steals sensitive information from the victim's computer and sends it back to the attacker using the SMTP protocol. The Snake Keylogger Deploy module establishes persistence on the victim's computer and conducts process hollowing to run the core module in a newly created process. Snake Keylogger variants have several methods for transmitting harvested credentials back to the attackers. These include uploading the data onto an FTP server, sending it via email, and submitting it over Telegram's bot over HTTP Post method. The FortiGuard Antivirus service can detect the attached Excel document, the downloaded executable file, and the extracted Snake Keylogger with specific AV signatures. To mitigate the risk posed by Snake, organizations are advised to maintain robust cybersecurity measures, including regular system updates, employee education on phishing threats, and comprehensive antivirus solutions.