Sneaky SSH-Snake malware steals SSH keys - putting your whole network at risk

News
By published

It slithers through the network, copying itself and stealing data

digital key
(Image credit: Shutterstock)

Cybersecurity researchers from the Sysdig Threat Research Team (TRT) discovered a new open source tool used by hackers to steal credentials and move laterally throughout the target network. 

Detailing their findings in a blog post, the researchers said the tool is called SSH-Snake, and was released in early January this year. Allegedly it’s already being used by threat actors in the wild to map out the target network, most likely in preparation of further attack escalation. 

Once the tool gets dropped onto a system, it will look for SSH credentials, and if it finds any, it will use them to move into the next instance, where it will copy itself and repeat the process.

Growing list of victims

What makes SSH-Snake stand out is that it is a lot more thorough in its search for credentials. It is also a lot stealthier as it avoids “easily detectable” patterns, usually associated with scripted attacks. AS a result, the tool provides “greater stealth, flexibility, configurability and more comprehensive credential discovery than typical SSH worms, therefore being more efficient and successful.”

SSH-Snake is also unique due to its self-modifying mechanisms. As soon as it lands on a target endpoint, it makes itself smaller, by removing all comments, whitespace, and unnecessary functions.

“Compared to previous SSH worms, its initial form is much larger due to the expanded functionality and reliability,” the researchers explained. The script is also described as “essentially plug-and-play, but easily customizable”. Threat actors can disable and enable different parts, depending on their strategy. SSH-Snake also works on “any device”. 

Besides grabbing credentials, SSH-Snake also grabs target IP addresses and bash history. The tool also seems to be growing in popularity, as TRT says it’s witnessing the victim list growing. “At the time of writing, the number of victims is approximately 100,” they concluded.

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
A white padlock on a dark digital background.
A new and dangerous keylogger is on the loose - here's how to stay safe
A person holding out their hand with a digital AI symbol.
This ransomware gang is using SSH tunnels to target VMware appliances
China
Chinese hackers develop effective new hacking technique to go after business networks
Representational image depecting cybersecurity protection
OpenSSH vulnerabilities could pose huge threat to businesses everywhere
Trojan
Microsoft warns of a devious new RAT malware which can avoid detection with apparent ease
Hands typing on a keyboard surrounded by security icons
Infostealers on the rise: the latest concern for organizational defenses
Latest in Security
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Coinbase targeted after recent Github attacks
hacker.jpeg
Key trusted Microsoft platform exploited to enable malware, experts warn
IBM office logo
IBM to provide platform for flagship cyber skills programme for girls
Oracle
Oracle denies data breach after hacker claims to hold six million records
Hacker silhouette working on a laptop with North Korean flag on the background
North Korea unveils new military unit targeting AI attacks
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
Latest in News
A phone showing a ChatGPT app error message
ChatGPT was down for many – here's what's happened
AirPods Max with USB-C in every color
Apple's AirPods Max with USB-C will get lossless audio in April, but you'll need to go wired
A woman sitting in a chair looking at a Windows 11 laptop
It looks like Microsoft might have thought better about banishing Copilot AI shortcut from Windows 11
US flags
US government IT contracts set to be centralized in new Trump order
Tesla Roadster 2
Tesla is still taking deposits on its long overdue Roadster, despite promising it would arrive in 2020
Samsung HW-Q990D soundbar with Halloween theme over the top
Samsung promises to repair soundbars bricked by its disastrous software update for free – but it'll probably involve shipping
More about security
hacker.jpeg

Key trusted Microsoft platform exploited to enable malware, experts warn
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol

Coinbase targeted after recent Github attacks
iPhone 16 Pro Desert Titanium in hand

I think the rumored iPhone 17 Pro redesign looks great – but is it Apple enough?
See more latest