SnappyTCP
SnappyTCP is a web shell used by Sea Turtle between 2021 and 2023 against multiple victims. SnappyTCP appears to be based on a public GitHub project that has since been removed from the code-sharing site. SnappyTCP includes a simple reverse TCP shell for Linux and Unix environments with basic command and control capabilities.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
SnappyTCP connects to the command and control server via a TCP socket using HTTP.[1] |
| Enterprise | T1059 | .004 | Command and Scripting Interpreter: Unix Shell |
SnappyTCP creates the reverse shell using a pthread spawning a bash shell.[1] |
| Enterprise | T1573 | .002 | Encrypted Channel: Asymmetric Cryptography |
SnappyTCP can use OpenSSL and TLS certificates to encrypt traffic.[1] |
| Enterprise | T1095 | Non-Application Layer Protocol |
SnappyTCP spawns a reverse TCP shell following an HTTP-based negotiation.[1] |
|
| Enterprise | T1505 | .003 | Server Software Component: Web Shell |
SnappyTCP is a reverse TCP shell with command and control capabilities used for persistence purposes.[1] |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1041 | Sea Turtle |
Sea Turtle used SnappyTCP following initial access in intrusions from 2021 to 2023.[1] |