CloudSnooper

CloudSnooper

• First seen: 2020
• Aliases:
• Samples:
  • 44c0774f53ab5071ee2969c5e44df56b13f5047e3fca6108375e6055998b86f2 | linux | trojan | elf

Cloud Snooper Linux Payload (snoopy)

Basic Properties

Property	Value
Size	1464144 bytes
CRC32	0x1940cf9f
MD5	ecdbfee4904dcb3ae2e20f050b5b69b3
SHA1	f1c0054bc76e8753d4331a881cdf9156dd8b812a
SHA256	44c0774f53ab5071ee2969c5e44df56b13f5047e3fca6108375e6055998b86f2
SHA512	3a4006fa3817eda0e8f4fea78ffcec6ccce50095afd67ef7e1cbeb06faa62aa7ad68dd894b33ae74cc720e1db4df683258048dd1df93688d64f121ce2f1769f4
Ssdeep	24576:wl7TkQ2emO0x7mEw28xrm+RcF8rC71PrIWHssC9zm4p:K7TkQ2emO0xSDRxjADI5som4
Magic	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.18, BuildID[sha1]=f22530d02604a1030e6fab308464ae8ab9c5f817, stripped
Packer	ELF64: library: GLIBC(2.7)[executable AMD64-64] ELF64: compiler: gcc(3.X)[executable AMD64-64]
TrID	50.1% (.) ELF Executable and Linkable format (Linux) (4022/12) 49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)

Antivirus Scan

+ Avast: clean
- Avira: Linux/Filecoder.pigrm
- Bitdefender: Trojan.Linux.GenericKD.13831
+ Clamav: clean
+ Comodo: clean
- Drweb: Linux.Encoder.365
- Eset: Linux/Filecoder.Monti.A
- Fsecure: Malware.LINUX/Filecoder.pigrm
- Kaspersky: UDS:Trojan-Ransom.Linux.Conti.a
+ Mcafee: clean
+ Sophos: clean
+ Symantec: clean
+ Trendmicro: clean
+ Windefender: clean

References

• ‘Cloud Snooper’ Attack Bypasses Firewall Security Measures [archive link]
• Cloud Snooper Attack Bypasses AWS Security Measures [archive link]