Fb messages are being utilized by menace actors to a Python-based data stealer dubbed Snake that is designed to seize credentials and different delicate knowledge.
“The credentials harvested from unsuspecting customers are transmitted to totally different platforms akin to Discord, GitHub, and Telegram,” Cybereason researcher Kotaro Ogino stated in a technical report.
Particulars concerning the marketing campaign first emerged on the social media platform X in August 2023. The assaults entail sending potential customers seemingly innocuous RAR or ZIP archive recordsdata that, upon opening, activate the an infection sequence.
The intermediate phases contain two downloaders – a batch script and a cmd script – with the latter accountable for downloading and executing the knowledge stealer from an actor-controlled GitLab repository.
Cybereason stated it detected three totally different variants of the stealer, the third one being an executable assembled by PyInstaller. The malware, for its half, is designed to collect knowledge from totally different internet browsers, together with Cốc Cốc, suggesting a Vietnamese focus.
The collected data, which includes credentials and cookies, is then exfiltrated within the type of a ZIP archive through the Telegram Bot API. The stealer can also be designed to dump cookie data particular to Fb, a sign that the menace actor is probably going seeking to hijack the accounts for their very own functions.
The Vietnamese connection is additional bolstered by the naming conference of the GitHub and GitLab repositories and the truth that the supply code comprises references to the Vietnamese language.
“The entire variants help Cốc Cốc Browser, which is a well-known Vietnamese Browser used extensively by the Vietnamese neighborhood,” Ogino stated.
Over the previous yr, a number of data stealers focusing on Fb cookies have appeared within the wild, counting S1deload Stealer, MrTonyScam, NodeStealer, and VietCredCare.
The event comes as Meta has come underneath criticism within the U.S. for failing to help victims whose accounts have been hacked into, calling on the corporate to take instant motion to handle a “dramatic and chronic spike” in account takeover incidents.
It additionally follows a discovery that menace actors are “utilizing a cloned recreation cheat web site, search engine marketing poisoning, and a bug in GitHub to trick would-be-game-hackers into working Lua malware,” in line with OALABS Analysis.
Particularly, the malware operators are leveraging a GitHub vulnerability that permits an uploaded file related to a problem on a repository to persist even in eventualities the place the difficulty isn’t saved.
“Which means anybody can add a file to any git repository on GitHub, and never go away any hint that the file exists aside from the direct hyperlink,” the researchers stated, including the malware comes fitted with capabilities for command-and-control (C2) communications.