Facebook messages are being used by threat actors to a Python-based information stealer dubbed Snake that's designed to capture credentials and other sensitive data.
"The credentials harvested from unsuspecting users are transmitted to different platforms such as Discord, GitHub, and Telegram," Cybereason researcher Kotaro Ogino said in a technical report.
Details about the campaign first emerged on the social media platform X in August 2023. The attacks entail sending prospective users seemingly innocuous RAR or ZIP archive files that, upon opening, activate the infection sequence.
The intermediate stages involve two downloaders – a batch script and a cmd script – with the latter responsible for downloading and executing the information stealer from an actor-controlled GitLab repository.
Cybereason said it detected three different variants of the stealer, the third one being an executable assembled by PyInstaller. The malware, for its part, is designed to gather data from different web browsers, including Cốc Cốc, suggesting a Vietnamese focus.
The collected information, which comprises credentials and cookies, is then exfiltrated in the form of a ZIP archive via the Telegram Bot API. The stealer is also designed to dump cookie information specific to Facebook, an indication that the threat actor is likely looking to hijack the accounts for their own purposes.
The Vietnamese connection is further bolstered by the naming convention of the GitHub and GitLab repositories and the fact that the source code contains references to the Vietnamese language.
"All of the variants support Cốc Cốc Browser, which is a well known Vietnamese Browser used widely by the Vietnamese community," Ogino said.
Over the past year, multiple information stealers targeting Facebook cookies have appeared in the wild, counting S1deload Stealer, MrTonyScam, NodeStealer, and VietCredCare.
The development comes as Meta has come under criticism in the U.S. for failing to assist victims whose accounts have been hacked into, calling on the company to take immediate action to address a "dramatic and persistent spike" in account takeover incidents.
It also follows a discovery that threat actors are "using a cloned game cheat website, SEO poisoning, and a bug in GitHub to trick would-be-game-hackers into running Lua malware," according to OALABS Research.
Specifically, the malware operators are leveraging a GitHub vulnerability that allows an uploaded file associated with an issue on a repository to persist even in scenarios where the issue is never saved.
"This means that anyone can upload a file to any git repository on GitHub, and not leave any trace that the file exists except for the direct link," the researchers said, adding the malware comes fitted with capabilities for command-and-control (C2) communications.
Gloss