Fb messages are being utilized by menace actors to distribute a Python-based info stealer dubbed Snake that is designed to seize credentials and different delicate knowledge.
“The credentials harvested from unsuspecting customers are transmitted to totally different platforms comparable to Discord, GitHub, and Telegram,” Cybereason researcher Kotaro Ogino mentioned in a technical report.
Particulars concerning the marketing campaign first emerged on the social media platform X in August 2023. The assaults entail sending potential customers seemingly innocuous RAR or ZIP archive recordsdata that, upon opening, activate the an infection sequence.
The intermediate levels contain two downloaders – a batch script and a cmd script – with the latter accountable for downloading and executing the data stealer from an actor-controlled GitLab repository.
Cybereason mentioned it detected three totally different variants of the stealer, the third one being an executable assembled by PyInstaller. The malware, for its half, is designed to assemble knowledge from totally different net browsers, together with Cốc Cốc, suggesting a Vietnamese focus.
The collected info, which includes credentials and cookies, is then exfiltrated within the type of a ZIP archive by way of the Telegram Bot API. The stealer can also be designed to dump cookie info particular to Fb, a sign that the menace actor is probably going seeking to hijack the accounts for their very own functions.
The Vietnamese connection is additional bolstered by the naming conference of the GitHub and GitLab repositories and the truth that the supply code accommodates references to the Vietnamese language.
“All the variants assist Cốc Cốc Browser, which is a well-known Vietnamese Browser used broadly by the Vietnamese neighborhood,” Ogino mentioned.
Over the previous 12 months, a number of info stealers concentrating on Fb cookies have appeared within the wild, counting S1deload Stealer, MrTonyScam, NodeStealer, and VietCredCare.
The event comes as Meta has come beneath criticism within the U.S. for failing to help victims whose accounts have been hacked into, calling on the corporate to take rapid motion to deal with a “dramatic and protracted spike” in account takeover incidents.
It additionally follows a discovery that menace actors are “utilizing a cloned recreation cheat web site, search engine marketing poisoning, and a bug in GitHub to trick would-be-game-hackers into operating Lua malware,” based on OALABS Analysis.
Particularly, the malware operators are leveraging a GitHub vulnerability that permits an uploaded file related to a difficulty on a repository to persist even in situations the place the difficulty isn’t saved.
“Which means anybody can add a file to any git repository on GitHub, and never go away any hint that the file exists apart from the direct hyperlink,” the researchers mentioned, including the malware comes fitted with capabilities for command-and-control (C2) communications.