#
Snake Rootkit
Snake is a rootkit used by Turla, and the version in this repository emulates several features of the original rootkit1:
- hides itself by hooking into several Windows API functions
- drops the usermodule DLL to disk (
C:\Windows\msnsvcx64.dll
in our emulated variant) - injects the usermodule DLL into a SYSTEM process (
taskhostw.exe
in our emulated variant) and into browser processes (msedge.exe
in our emulated variant) upon detecting outbound network traffic
When the rootkit is installed, its Snake home directory is set to C:\Windows\$NtUninstallQ608317$
(can be changed at installer compile time), which is where the Snake rootkit driver file and usermodule DLL log files reside.
- Snake has used similar home directories in the past, such as
C:\Windows\$NtUninstallQ812589$
1
#
Components
#
Snake Installer
The SnakeInstaller
folder contains the source code, README, and additional resources for the Snake installer, which does the following:
- Sets up the Snake home directory
- Optional privilege escalation exploit CVE-2021-1732
- DSE bypass by exploiting a vulnerable signed driver that is also dropped by the installer
- Dropping the Snake rootkit driver to disk and installing it
Note that the Snake installer is bundled with both drivers inside, and since the Snake rootkit driver contains the embeded usermodule DLL, any changes to the usermodule DLL or to the rootkit driver will require a new installer to be compiled. Different installers will also be needed to target different hosts, since each usermodule DLL is compiled to reach out to a specific C2 domain or IP.
For more information on the Snake Installer, please see the installer README.
#
Snake Rootkit Driver
The Snake rootkit driver is run by the Snake installer and performs various rootkit functionality:
- hides itself by hooking into several Windows API functions via a modified InfinityHook library
- drops the usermodule DLL to
C:\Windows\msnsvcx64.dll
(stored XOR-encrypted within the driver) - injects the usermodule DLL into
taskhostw.exe
- injects the usermodule DLL into browser processes (e.g.
msedge.exe
) upon detecting outbound network traffic
For more information on the Snake rootkit, please see the rootkit README.
#
Usermodule DLL
The UserModule
folder contains the source code, README, and additional resources for the Snake usermodule DLL, which does the following:
- When injected into a browser process, handles C2 communications over HTTP
- Retrieves tasking and payloads to forward to the non-browser usermodule variant, uploads files and task output
- When injected into a non-browser process, executes commands
- Supports executing commands via cmd, powershell, direct process creation, and also supports token impersonation.
Note that the usermodule DLL is given the C2 address and Snake home directory at compile-time, so any adjustments to such variables will require compiling a new usermodule DLL, and thus a new rootkit driver and installer.
For more information on the Snake usermodule DLL, please see the usermodule DLL README.
#
Usage
To install the Snake rootkit using the Snake installer, you can use the following commands for default options:
(with privilege escalation exploit):
C:\Path\to\installer.exe -f
(without privilege escalation exploit - requires admin privileges)
C:\Path\to\installer.exe
For additional installer options, please see the installer README.
If you are running just the driver, you must have a machine with test signing mode ON. To do this, open an Administrative command prompt, enter Bcdedit.exe -set TESTSIGNING ON
and reboot your machine. You should now see "Test Mode" in the bottom right hand corner of your desktop.
Run the script .\run_driver.ps1 start
in the same directory as your driver, and it will automatically create and start the driver for you. To stop the driver, run .\run_driver.ps1 stop
If you are running the driver via the installer, test signing mode is not necessary.
#
Troubleshooting
#
Installer Troubleshooting
Please see the Snake Installer README for installer-related troubleshooting steps.
#
Usermodule Troubleshooting
If the Snake installer is successful but you don't receive a beacon, there are two main possible points of failure:
- The driver was unable to inject successfully into
taskhostw.exe
or the injected DLL crashed - The driver was unable to inject successfully into
msedge.exe
, or the injected DLL crashed
You can generally tell which injected DLLs started up by looking for the log files in the Snake home directory (C:\Windows\$NtUninstallQ608317$
) and checking their timestamps:
- The C2-related log (
svcmon32.sdb
) is used exclusively by the browser-injected DLL process. If the file exists, then the injected DLL was at least able to get far enough to begin logging. If the file exists but is not being updated, then either the DLL crashed or is stuck waiting for thetaskhostw
-injected DLL to connect to it via named pipes. - The execution log (
dbsvcng64.bin
) is used exclusively by thetaskhostw
-injected DLL and has at least one line written to it when the injected DLL starts up. If the file exists, then the injected DLL was at least able to get far enough to begin logging.
There are two ways to decrypt and read the log files:
- If you have successful beacons and are troubleshooting other issues, you can task the implant to upload the logs to the C2 server, which will automatically decrypt them and write them to the
control_server/files
directory:./evalsC2client.py --set-task <guid> '{"type": 6}'
- If you do not have a beacon, you will have to manually copy the files from the Windows target host to your linux C2 server, where you can call the
control_server/handlers/snake/decrypt_logs.py
utility like so:python3 decrypt_logs.py -p /path/to/log -o /path/to/output/file
Each log file covers different aspects of the implant:
svcmon32.sdb
for C2-related logging (heartbeats, beacons, payload downloads, instruction parsing, data uploads)svcstat64.bin
for pipe server logging (when in pipe server mode)udmon32.bin
for pipe client logging (when in pipe client / execution mode)dbsvcng64.bin
for logging related to command execution (process creation, exit codes, command output)
To investigate general C2 communication issues, look at the C2 logs and pipe-related logging.
To investigate execution-related issues (e.g. failed token impersonation), look at the execution log.
Note that error codes in the logs will either be a Windows system error code or a custom error code defined in UserModule/include/usermodule_errors.h
#
Build
For specific build/installation instructions for each component, please refer to their respective README files.
#
Debugging
In order to properly test, it is recommended to setup a Virtual Machine on which install and run the driver. That's because any bugs in this code base can cause the executing system to crash. Additionally, this system will need to have test signing mode enabled, in order to load our unsigned driver.
To view any output from the driver will also require tooling with the ability to attach to the target system's kernel.
Recommended solutions are to use WinDbg
from the host machine for advanced debugging needs. Or, for lighter testing
DebugView
is capable of reporting messages printed from the driver.
#
Cleanup
A cleanup script has been provided here. This script should be run from an Admin PowerShell terminal.
The script will perform the following actions:
- Cleanup any PsExec artifacts
- Delete signed driver service
- Delete unsigned driver service
- Clean up installer directory
- Delete Snake installer (if
-deleteInstaller
) - Restart the host (if
-restart
) - Remove dropped user module DLL
- Recheck and redelete signed driver service
The script should be run with -restart
if the user module DLL has been injected.