Hunting Russia FSB's Most Sophisticated "Snake" Malware | Threat SnapShot

In this special extended Threat SnapShot, we'll dive into the joint intelligence report released by CISA and other five eyes nations about the Russian FSB's "Snake" malware. The actor goes by many names, including Turla and Venomous Bear, and the malware has also been referred to as "ouroboros" from a string left in by the developers. Regardless, the report suggests that this is the most sophisticated malware in Russia's arsenal, and goes into explicit detail of how it works. We'll discuss how the malware operates and some host-based indicators, illustrate the threat research process and how you can accelerate that work in SnapAttack, and review potential detection and hunting strategies you can use in your organization.    • Hunting Russia FSB's Most Sophisticat... … Chapters: 00:00 - Introduction and Overview of CTI Report 11:44 - Related Research on PNG Dropper 16:03 - Finding a dropper sample 18:14 - Threat Research and Emulation in SnapAttack 28:18 - SnapAttack Content: Intelligence, Threat, and Detections References: - www.cisa.gov/news-events/cybersecurity-advisories/… - blogs.vmware.com/security/2017/08/threat-analysis-… - github.com/carbonblack/tau-tools/tree/master/threa… - research.nccgroup.com/2018/11/22/turla-png-dropper… - github.com/nccgroup/Cyber-Defence/tree/master/Scri… - github.com/gdbinit/snake_queue_parser - valhalla.nextron-systems.com/info/rule/Turla_JPEGV… - www.virustotal.com/gui/file/f098f86ecf996188cef273… - twitter.com/nas_bench/status/1656770759669194757 - twitter.com/M_haggis/status/1656113223442264064 - github.com/redcanaryco/atomic-red-team/pull/2418/f… SnapAttack Resources: - app.snapattack.com/intelligence/16a14e5f-c019-4d9f… - Intelligence: Hunting Russian Intelligence "Snake" Malware - app.snapattack.com/threat/c3e53e0b-7cd0-9332-06d7-… - Threat: Simulated TTPs for Russian Nation-State Actor Turla "Snake" Malware - gist.github.com/tjnary/4272b17ef6debcba9e85fd8159b… - PowerShell code to emulate Snake TTPs - app.snapattack.com/detection/354bb091-fa58-42da-84… - Detection: Possible Turla Snake Malware Installer - app.snapattack.com/detection/abcfdd0f-82d5-46a4-a7… - Detection: Possible Turla Snake Malware via WerFaultSvc Service Creation - app.snapattack.com/detection/65e463df-5e00-466f-92… - Detection: Possible Turla Snake Malware via OpenWithProgIds Registry Creation - app.snapattack.com/detection/d10094e6-8ea8-4cb6-be… - Detection: Possible Turla Snake Malware via comadmin.dat File Creation - app.snapattack.com/detection/7a29e4e1-71a8-4f4b-b2… - Detection: Possible Turla Snake Malware via Queue File Creation - app.snapattack.com/detection/5ac5dd6a-e5e4-4815-a4… - Detection: Possible Turla Snake Malware via Covert Store Registry Key