Cloud Snooper

The Cloud Snooper threat is a malware developed to target Linux servers specifically. After analyzing the threat, cybersecurity researchers found that the authors of the Cloud Snooper malware are implementing very interesting and innovative methods in regard to the communication of the threat with the C&C (Command & Control) server of the attackers.

The Smart Techniques Used by the Cloud Snooper

Services, which are used to interact with the Web, utilize certain designated ports to transmit data. For example, FTP uses port 21, HTTPS uses port 443, HTTP uses port 80, etc. All ports between 1 and 65535 are available for services to utilize. While Windows-based services use ports between 49152 and 65535 mostly, UNIX systems tend to diversify more. The ports used by the Cloud Snooper malware fall under the following range – 32768 and 60999. This can be seen as legitimate traffic, which means that it is unlikely that it will get filtered.

Web services opened to the Internet usually have a port used for accepting incoming connections strictly - for example, an HTTP connection is executed via port 80. However, this is not the only port used in such a connection - when you attempt to connect to a server via port 80, the recipient may assign a random, unique port to you, so that it will be able to identify the network traffic. This technique enables the Cloud Snooper malware to operate very silently.

The Cloud Snooper payload may pose as a bogus Linux driver called ‘snd_floppy.’ The ‘snd’ part of the name usually serves to signify an audio driver. The ‘snd_floppy’ file is not a genuine driver – it is the payload of the Cloud Snooper malware. As soon as the Cloud Snooper threat penetrates the targeted system successfully, it will be keeping an eye out for pings that are utilizing certain ports. The pings in question are packets coming from the attackers’ C&C server. However, these packets do not contain commands, and are, in fact, empty. This means that firewalls may overlook these packets sent through random ports as they would appear harmless, and this is what the Cloud Snooper malware relies on.

Other ports that the Cloud Snooper utilizes allows it to perform different tasks:

• 6060 – The threat’s payload is contained in a bogus ‘snd_floppy’ driver that will be implanted on the system as soon as there is a ping received via the 6060 port.
• 8080 – To spy on its target, the threat can hijack traffic coming from port 9090 and redirect it to port 2053.
• 9999 – The threat would cease activity and delete itself from the compromised host.

Make sure your Linux systems are protected by a genuine anti-malware tool compatible with your OS.