Fb messages are being utilized by risk actors to a Python-based info stealer dubbed Snake that is designed to seize credentials and different delicate knowledge.
“The credentials harvested from unsuspecting customers are transmitted to totally different platforms akin to Discord, GitHub, and Telegram,” Cybereason researcher Kotaro Ogino stated in a technical report.
Particulars in regards to the marketing campaign first emerged on the social media platform X in August 2023. The assaults entail sending potential customers seemingly innocuous RAR or ZIP archive information that, upon opening, activate the an infection sequence.
The intermediate phases contain two downloaders – a batch script and a cmd script – with the latter answerable for downloading and executing the knowledge stealer from an actor-controlled GitLab repository.
Cybereason stated it detected three totally different variants of the stealer, the third one being an executable assembled by PyInstaller. The malware, for its half, is designed to assemble knowledge from totally different internet browsers, together with Cốc Cốc, suggesting a Vietnamese focus.
The collected info, which contains credentials and cookies, is then exfiltrated within the type of a ZIP archive by way of the Telegram Bot API. The stealer can be designed to dump cookie info particular to Fb, a sign that the risk actor is probably going seeking to hijack the accounts for their very own functions.
The Vietnamese connection is additional bolstered by the naming conference of the GitHub and GitLab repositories and the truth that the supply code incorporates references to the Vietnamese language.
“All the variants help Cốc Cốc Browser, which is a well-known Vietnamese Browser used broadly by the Vietnamese neighborhood,” Ogino stated.
Over the previous yr, a number of info stealers concentrating on Fb cookies have appeared within the wild, counting S1deload Stealer, MrTonyScam, NodeStealer, and VietCredCare.
The event comes as Meta has come underneath criticism within the U.S. for failing to help victims whose accounts have been hacked into, calling on the corporate to take speedy motion to handle a “dramatic and protracted spike” in account takeover incidents.
It additionally follows a discovery that risk actors are “utilizing a cloned sport cheat web site, search engine marketing poisoning, and a bug in GitHub to trick would-be-game-hackers into operating Lua malware,” in response to OALABS Analysis.
Particularly, the malware operators are leveraging a GitHub vulnerability that permits an uploaded file related to a problem on a repository to persist even in situations the place the problem isn’t saved.
“Because of this anybody can add a file to any git repository on GitHub, and never go away any hint that the file exists apart from the direct hyperlink,” the researchers stated, including the malware comes fitted with capabilities for command-and-control (C2) communications.
