An malicious agent uses an open source network mapping tool called SSH snake malware, to seek SSH private keys and move laterally into the victim's socket.
SSH-Snake was discovered by the Threat Research Group of the Sysdig (TRT), which describes it as a "self-modifying worm" which distinguishes itself from the traditional SSH worm by avoiding the patterns usually associated with attacks.
The malware searches for private keys in various locations, including history files, and uses them to spread to new systems after mapping the network.
The SSH-Snake malware is available as open-source tool for SSH-based automated network traversal, which can be started from one system and show its relationship to others computers connected via SSH.
Discovery of SSH-Snake malware
However, researchers at Sysdig, a security company in the cloud, report that SSH-Snake takes standard lateral traffic control to a new level by being more rigorous in its search for private keys.
The SSH-Snake malware, released on January 4, 2024, is a bash shell script that autonomously scans a compromised system for SSH credentials and uses them for forwarding.
The researchers report that a unique feature of the SSH-Snake malware is its ability to modify itself and become smaller when executed for the first time. It achieves this by removing comments, unnecessary functions and whitespace from its code.
Designed for flexibility, SSH-Snake is plug-and-play, allowing customization according to specific operational needs, including tailoring strategies for discovering private keys and identifying their potential use.
SSH key detection methods
SSH-Snake uses several direct and indirect methods to detect private keys on compromised systems. Oversight:
- Search common folders and files, where SSH keys and credentials are usually stored, including directories .ssh, configuration files and other locations.
- Analysis of shell history files (e.g., .bash_history, .zsh_history) to identify commands (ssh, scp, and rsync) that may have been used or reported on SSH private keys.
- Use of the "find_from_bash_history" to analyze the bash history for commands related to functions SSH, SCP and Rsync, can discover direct references to private keys, their locations and associated credentials.
- Analysis of system logs and network proxy memory (ARP tables) to identify potential targets and gather information that could indirectly lead to the identification of private keys and locations where they can be used.
Sysdig analysts have confirmed the operational status of the SSH-Snake malware after identifying a C2 server used by its creators to store data collected by the worm, including credentials and victim IP addresses.
These data provide evidence of active exploitation of known vulnerabilities in Confluence (and possibly other flaws) for initial Accessed at, resulting in the installation of the virus in these places. According to the researchers, the tool was used aggressively on about 100 victims.
Sysdig considers SSH-Snake as "an evolutionary step" in terms of malware, as it targets a secure way of connecting that is widely used in corporate environments.
How can a computer be protected from worms?
One of the most effective ways to protect your computer from worms, such as the SSH snake malware, is the use of a reliable software antivirus. This software should be regularly updated to deal with the latest threats. In addition, it is important to keep your operating system and all your applications up to date. These updates often include security fixes that can help protect against worms. You should also be careful with the emails and messages you receive. Do not open attachments or click on links from unknown senders, as these may contain worms. Finally, using a firewall can provide an extra layer of protection. Firewalls can help prevent worms from gaining access to your computer by controlling incoming and outgoing traffic.
Source: bleepingcomputer
