Snake, a brand new Info Stealer spreads by way of Facebook messages
March 07, 2024
Threat actors are utilizing Facebook messages to unfold a Python-based data stealer dubbed Snake, researchers warn.
Cybereason researchers warn that menace actors are using Facebook messages to unfold the Snake malware, a Python-based data stealer.
The researchers observed that the menace actors are sustaining three totally different Python Infostealer variants. Two of those variants are common Python scripts, whereas the third variant is an executable assembled by PyInstaller.
Once the malware has siphoned the credentials from the contaminated system, it transmits them to totally different platforms resembling Discord, GitHub, and Telegram by abusing their APIs.
The marketing campaign has been energetic since at the very least August 2023 when it was disclosed by a cybersecurity researcher on X.
Threat actors despatched Facebook messenger direct messages to the victims making an attempt to trick them into downloading archive recordsdata resembling RAR or ZIP recordsdata. The archives include two downloaders, a batch script and a cmd script, with the ultimate downloader used to drop the suitable Python Infostealer variant on the sufferer’s system.
“The archived file contains a BAT script which is the first downloader initiating the infection chain. The BAT script attempts to download a ZIP file via the cURL command, placing the downloaded file under the directory C:UsersPublic as myFile.zip. The BAT script proceeds to spawn another PowerShell command Expand-Archive to extract the CMD script vn.cmd from the ZIP file and proceeds with its infection.” reads the report revealed by Cybereason. “The CMD script vn.cmd is the first script liable for downloading and executing the Python Infostealer.
The infostealer can collect delicate knowledge from totally different internet browsers, together with:
Let me spotlight that Coc Coc Browser is a browser extensively utilized by the Vietnamese group. The number of this browser additionally means that there was a particular demand to focus on the Vietnamese group sooner or later.
The researchers observed that the infostealer can be capable of collect cookie data particular to Facebook.
“Aside from cookies and credential information, project.py dumps cookie information specific to Facebook cookiefb.txt to disk. This behavior is likely for the Threat Actor to hijack the victim’s Facebook account, potentially to expand their infection.” continues the report.
The researchers attribute the marketing campaign to Vietnamese-speaking people based mostly on just a few indicators, together with feedback within the scripts, naming conventions, and the presence of the Coc Coc Browser within the listing of focused browsers.
The report consists of the MITRE ATT&CK MAPPING for this marketing campaign.
Follow me on Twitter: @securityaffairs and Facebook
Pierluigi Paganini
(SecurityAffairs – hacking, Snake)
