SnappyTCP
SnappyTCP is a web shell used bySea Turtle between 2021 and 2023 against multiple victims.SnappyTCP appears to be based on a public GitHub project that has since been removed from the code-sharing site.SnappyTCP includes a simple reverse TCP shell for Linux and Unix environments with basic command and control capabilities.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol:Web Protocols | SnappyTCP connects to the command and control server via a TCP socket using HTTP.[1] |
| Enterprise | T1059 | .004 | Command and Scripting Interpreter:Unix Shell | SnappyTCP creates the reverse shell using a pthread spawning a bash shell.[1] |
| Enterprise | T1573 | .002 | Encrypted Channel:Asymmetric Cryptography | SnappyTCP can use OpenSSL and TLS certificates to encrypt traffic.[1] |
| Enterprise | T1095 | Non-Application Layer Protocol | SnappyTCP spawns a reverse TCP shell following an HTTP-based negotiation.[1] | |
| Enterprise | T1505 | .003 | Server Software Component:Web Shell | SnappyTCP is a reverse TCP shell with command and control capabilities used for persistence purposes.[1] |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1041 | Sea Turtle | Sea Turtle usedSnappyTCP following initial access in intrusions from 2021 to 2023.[1] |