New SSH-Snake Malware Abuses SSH Credentials To Spread Itself In The Network

Threat actors abuse SSH credentials to gain unauthorized access to systems and networks. By exploiting weak or compromised credentials, they can execute malicious activities.

SSH credential abuse provides a stealthy entry point for threat actors to compromise and control the targeted systems.


On January 4th, 2024, the Sysdig Threat Research Team (TRT) discovered a network mapping tool dubbed SSH-Snake that was being used as a self-propagating worm.

The tool was found to be exploiting SSH credentials in its attempt to spread and infect other systems. As a result, it poses a significant threat to network security and should be handled with caution.

It hunts for credentials and shell history for its next targets, and currently, threat actors are actively using SSH-Snake malware.

SSH-Snake Malware Abuses SSH Credentials

After gaining system access, attackers often use lateral movement to find and reach other targets. Previous research uncovered a worm seeking SSH credentials to connect and repeat the process.

Analyse Shopisticated Malware with ANY.RUN

Try ANY.RUN Yourself with a 14-day Free Trial

More than 300,000 analysts use ANY.RUN is a malware analysis sandbox worldwide. Join the community to conduct in-depth investigations into the top threats and collect detailed reports on their behavior..

The lateral movement of SSH-Snake is great in private key finding. It can evade scripted attack patterns to provide stealthiness, flexibility, configurability, and better credentials discovery. It is more efficient and successful than normal SSH worms.

SSH-Snake malware automates network traversal with discovered SSH private keys, mapping a network and dependencies. 

A bash script that autonomously seeks SSH credentials on the system by logging into targets and replicating to repeat the process. However, the results aid the threat actors in ongoing operations. 

Output of SSH-Snake in a very small network (Source – Sysdig)

SSH-Snake self-modifies to shrink its size by removing comments, whitespace, and unnecessary functions for fileless operation. 

Its initial form is larger for enhanced functionality, and it works on any device by self-replicating and is fileless.

SSH-Snake automates the laborious task of discovering SSH-connected systems, which allows saving time and effort.

Here below, we have mentioned all the automated tasks that the SSH-Snake performs:-

  • On the current system, find any SSH private keys,
  • On the current system, find any hosts or destinations (user@host) that the private keys may be accepted,
  • Attempt to SSH into all of the destinations using all of the private keys discovered,
  • If a destination is successfully connected to, repeat steps #1 – #4 on the connected-to system.

This malware hunts various private key types on the target system using diverse methods. It scans bash history for SSH-related commands by revealing the key locations and credentials. 

Sysdig TRT found the C2 server of SSH-Snake deployers. The server houses SSH-Snake’s output for each target that helps in revealing victim IPs.

Exposed assets (Source – Sysdig)

CNCF incubates Falco and offers real-time alerts for cloud-native rarities. Users can deploy default or custom rules easily. Detect SSH-Snake with default rules or craft new ones for better detection. 

SSH-Snake enhances threat actor capabilities, enabling the exploitation of SSH keys that help evade static detection.

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are extremely harmful, can wreak havoc, and damage your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.