Cybercriminals Arm Open-Source SSH-Snake Tool for Network Attacks

February 22, 2024NewsroomNetwork Security / Penetration Testing

Open-Source SSH-Snake Tool

A new open-sourced network mapping tool called SSH-Snake repurposed by threat actors to perform malicious activities.

“SSH-Snake is a self-replicating worm that uses SSH credentials discovered on a compromised system to start spreading itself throughout the network,” Sysdig researcher Miguel Hernández SAYS.

“The worm automatically searches through known credential locations and shell history files to determine its next move.”

SSH-Snake was first released on GitHub in early January 2024, and is described by its developer as a “powerful tool” to implement automatic network crossing using the SSH private keys discovered by the systems.

In doing so, it creates a comprehensive map of a network and its dependencies, helping to determine the extent to which a network can be compromised using SSH and SSH private keys starting from a particular host. It also supports resolution of domains with multiple IPv4 addresses.


“It is completely self-replicating and self-propagating – and completely fileless,” according to project description. “In many ways, SSH-Snake is actually a worm: It copies itself and spreads itself from one system to another as much as possible.”

Sysdig says that the shell script not only facilitates lateral movement, but also provides more stealth and flexibility than other typical SSH worms.

The cloud security company says it has observed threat actors deploy SSH-Snake in real-world attacks to harvest credentials, targets’ IP addresses, and the bash command history after discovering a command-and-control (C2) server hosting the data.

“Using SSH keys is a recommended practice that SSH-Snake is trying to exploit to spread,” Hernández said. “It’s smarter and more reliable that will allow threat actors to reach farther into a network once they gain a foothold.”

When reached for comment, Joshua Rogers, the developer of SSH-Snake, told The Hacker News that the tool offers legitimate system owners a way to identify vulnerabilities in their infrastructure before attackers, encourages companies to use SSH-Snake to “discover attack. paths that exist – and fix them.”

“It seems to be a common belief that cyber terrorism ‘just happens’ suddenly to systems, requiring only a reactive security approach,” said Rogers. “However, in my experience, systems should be designed and maintained with comprehensive security measures.”

“If a cyber terrorist is able to run SSH-Snake on your infrastructure and access thousands of servers, the focus should be on the people managing the infrastructure, with the aim of restoring the infrastructure to compromise a The host cannot be replicated by thousands of others.”

Rogers also called attention to the “negligent operations” of companies that design and implement insecure infrastructure, which can be easily removed with a simple shell script.

“If the systems are designed and maintained in a good way and the system owners/companies really care about security, the fallout from such a script being implemented will be minimized – as well as if the actions that SSH-Snake was created manually by an attacker,” Rogers added.

“Instead of reading privacy policies and performing data entry, security teams at companies that are concerned about this type of script taking over their entire infrastructure should be re-architecting the entire in their systems by trained security specialists – not those who created the architecture in the first place.”


The disclosure comes as Aqua unveils a new botnet campaign named Lucifer exploiting misconfigurations and existing flaws in Apache Hadoop and Apache Druid to corral them into a network for cryptocurrency mining and conducting distributed denial-of-service (DDoS) attacks.

Hybrid cryptojacking malware is first documented by Palo Alto Networks Unit 42 in June 2020, calling attention to its ability to exploit known security flaws to compromise Windows endpoints.

Lucifer botnet

Around 3,000 separate attacks targeting the Apache big data stack were detected last month, the cloud security firm said. It also contains vulnerabilities in Apache Flink to spread miners and rootkits.

“The attacker executed the attack by exploiting existing misconfigurations and vulnerabilities in the services,” security researcher Nitzan Yaakov SAYS.

“Apache open-source solutions are widely used by many users and contributors. Attackers may view this wide usage as an opportunity with inexhaustible resources for executing their attacks on them.”

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment