Keypoints
- SSH‑Snake is a bash script worm that self‑modifies to shrink itself and operates filelessly to avoid simple static detection.
- The tool scans for SSH private keys (id_rsa, id_dsa, id_ed25519, id_ecdsa) and parses shell history entries for ssh/scp/rsync commands to discover targets and credential locations.
- After credential discovery it attempts SSH logins to identified hosts and copies itself to those systems to repeat propagation (automated lateral movement via SSH).
- Sysdig linked a C2 server that stores SSH‑Snake output files per victim (filenames include victim IPs) and reported ~100 victims, many running Confluence and likely compromised via known Confluence vulnerabilities.
- Detection can be implemented at runtime; Sysdig/Falco rules can flag unusual SSH connections, reads of sensitive files, interactive system user commands, and searches for private keys.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Actors likely gained initial access by exploiting Confluence vulnerabilities: [‘…these threat actors are actively exploiting known Confluence vulnerabilities in order to gain initial access…’]
- [T1021.004] Remote Services: SSH – The worm uses discovered SSH credentials to log into other systems and propagate: [‘…the script attempts to log into the target system and then copies itself there in order to repeat the process.’]
- [T1552.001] Credentials in Files – SSH‑Snake searches for private key files and parses shell history for credential and target data: [‘…find_from_bash_history, where commands of ssh, scp, and rsync are searched for and parsed.’]
- [T1016] System Network Configuration Discovery – The tool gathers target information using local commands and utilities such as last and arp: [‘…it looks at sources of information, including last and arp to gather target data.’]
- [T1027] Obfuscated Files or Information – SSH‑Snake self‑modifies to remove comments/whitespace and shrink its footprint to remain fileless and less conspicuous: [‘…it modifies itself when it is first run in order to make itself smaller. All comments, whitespace, and unnecessary functions are removed.’]
- [T1041] Exfiltration Over C2 Channel – Operators store per-target output (credentials, IPs, bash history) on a C2 server repository for later use: [‘…This server holds a repository of files containing the output of SSH-Snake for each of the targets they have gained access to.’]
Indicators of Compromise
- [Domain] Tool repository and disclosure – github.com/MegaManSec/SSH-Snake (SSH‑Snake source/repo), sysdig.com/blog/ssh-snake (analysis/report)
- [Filenames] SSH private key names searched – id_rsa, id_ed25519 (SSH‑Snake looks for these key filenames and related credential files)
- [File listings] C2 repository filenames contain victim IPs – article notes “filenames found on the C2 server contain IP addresses of victims” (specific IPs not listed in article)
- [Collected artifacts] Bash history and SSH command entries – parsed ssh/scp/rsync lines from shell history (used to discover target hosts and key locations)
SSH‑Snake is implemented as a bash script that aggressively enumerates a host for SSH credentials and target metadata, then uses those credentials to traverse the network. On first execution the script compacts itself—removing comments, whitespace, and unused functions—to reduce size and enable fileless operation; after finding usable credentials it attempts SSH logins and copies its payload to newly accessed systems to repeat the process.
For credential and target discovery SSH‑Snake combines filesystem searches for common private key files (id_rsa, id_dsa, id_ed25519, id_ecdsa), parsing of bash history entries for ssh/scp/rsync commands (find_from_bash_history), and local network‑oriented commands (last, arp) to build a map of reachable systems. Its configuration is modular, allowing operators to enable or disable discovery strategies and tailor destination lists, improving stealth and adaptability compared with simpler scripted worms.
Operationally, defenders observed attackers uploading SSH‑Snake output (found credentials, victim IPs, and bash history) to a command‑and‑control repository; many victims were assessed to have been initially compromised via Confluence exploits. Because the tool is fileless and self‑modifying, runtime behavioral detection is recommended—example Falco/Sysdig rules include alerts for unexpected SSH connections, reads of sensitive key files, searches for private keys, and interactive system user commands—to detect and contain propagation quickly.
Read more: https://sysdig.com/blog/ssh-snake/