Security News > 2023 > May > FBI nukes Russian Snake data theft malware with self-destruct command

The development of the Snake malware started under the name "Uroburos" in late 2003, while the first versions of the implant were seemingly finalized by early 2004, with Russian state hackers deploying the malware in attacks immediately after.

The malware is linked to a unit within Center 16 of the FSB, the notorious Russian Turla hacking group, and was disrupted following a coordinated effort named Operation MEDUSA. Among the computers ensnared in the Snake peer-to-peer botnet, the FBI also found devices belonging to NATO member governments.

According to court documents unsealed today, the U.S. government kept a close eye on Snake and Snake-linked malware tools for almost 20 years while also monitoring Russian Turla hackers using Snake from an FSB facility in Ryazan, Russia.

"As described in court documents, through analysis of the Snake malware and the Snake network, the FBI developed the capability to decrypt and decode Snake communications," the U.S. Justice Department said.

"With information gleaned from monitoring the Snake network and analyzing Snake malware, the FBI developed a tool, named PERSEUS, that establishes communication sessions with the Snake malware implant on a particular computer, and issues commands that causes the Snake implant to disable itself without affecting the host computer or legitimate applications on the computer."

The FBI is now notifying all owners or operators of computers remotely accessed to remove the Snake malware and informing them that they might have to remove other malicious tools or malware planted by the attackers, including keyloggers that Turla often also deployed on infected systems.

News URL

https://www.bleepingcomputer.com/news/security/fbi-nukes-russian-snake-data-theft-malware-with-self-destruct-command/