TR-13 - Malware analysis report of a Backdoor. Snifula variant

TR-13 - Malware analysis report of a Backdoor. Snifula variant

Back to Publications and Presentations

  1. Overview
  2. Report
  3. Recommendation
  4. Classification of this document
  5. Revision

You can report incidents via our official contact including e-mail, phone or use the Anonymous reporting form.


CIRCL is accredited TI CIRCL is a FIRST member CIRCL is an OASIS member


Trojan horses and particularly information stealing malware are a prevalent risk in information security. According to Symantec, Snifula is a family of information stealing trojan horses known since 2006 and the developers enhanced it over the years up to the current version (see report for a history). The actual version is - like its predecessors - not spread very widely, but has some unusual and underestimated capabilities that go farther than stealing passwords or files from an infected computer. A main ability of the malware is the X.509 certificate on file-system stealing functionality, which is in its maliciousness beyond the usual information stealing scenarios and generally only considered being a theoretical attack in most organizations. This report shows that the threat is real and being used in targeted attacks - and that the attackers can reach this goal by using documented Windows functions only.



  • CIRCL recommends private organizations or any potential targets to verify the Indicator of Compromise (IOC) contained in the report to detect any potential infection. CIRCL can be contacted in case of detection.

  • CIRCL recommends to review the infection process of Snifula (and especially the risks associated to exportable private keys) in order to assess the security measures taken within an organization.

Classification of this document

TLP:WHITE information may be distributed without restriction, subject to copyright controls.


  • Version 1.0 July 25, 2012 Initial version (TLP:AMBER)
  • Version 1.1 July 27, 2012 New domains added (TLP:AMBER)
  • Version 1.2 September 12, 2012 Take-down completed (TLP:AMBER)
  • Version 1.3 May 29, 2013 First public release (TLP:WHITE)