Sneaky SSH-Snake malware steals SSH keys - putting your whole network at risk

digital key
(Image credit: Shutterstock)

Cybersecurity researchers from the Sysdig Threat Research Team (TRT) discovered a new open source tool used by hackers to steal credentials and move laterally throughout the target network. 

Detailing their findings in a blog post, the researchers said the tool is called SSH-Snake, and was released in early January this year. Allegedly it’s already being used by threat actors in the wild to map out the target network, most likely in preparation of further attack escalation. 

Once the tool gets dropped onto a system, it will look for SSH credentials, and if it finds any, it will use them to move into the next instance, where it will copy itself and repeat the process.

Growing list of victims

What makes SSH-Snake stand out is that it is a lot more thorough in its search for credentials. It is also a lot stealthier as it avoids “easily detectable” patterns, usually associated with scripted attacks. AS a result, the tool provides “greater stealth, flexibility, configurability and more comprehensive credential discovery than typical SSH worms, therefore being more efficient and successful.”

SSH-Snake is also unique due to its self-modifying mechanisms. As soon as it lands on a target endpoint, it makes itself smaller, by removing all comments, whitespace, and unnecessary functions.

“Compared to previous SSH worms, its initial form is much larger due to the expanded functionality and reliability,” the researchers explained. The script is also described as “essentially plug-and-play, but easily customizable”. Threat actors can disable and enable different parts, depending on their strategy. SSH-Snake also works on “any device”. 

Besides grabbing credentials, SSH-Snake also grabs target IP addresses and bash history. The tool also seems to be growing in popularity, as TRT says it’s witnessing the victim list growing. “At the time of writing, the number of victims is approximately 100,” they concluded.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.