A new cybersecurity threat has emerged as threat actors utilize Facebook messages to distribute a Python-based information stealer known as Snake. Designed to capture credentials and sensitive data, Snake has been implicated in a campaign that transmits harvested credentials to various platforms, including Discord, GitHub, and Telegram.
The campaign, first reported on the social media platform X in August 2023, involves sending seemingly innocuous RAR or ZIP archive files to potential victims. Upon opening these files, an infection sequence is triggered, initiating the deployment of two downloaders – a batch script and a cmd script – with the latter responsible for fetching and executing the Snake information stealer from an actor-controlled GitLab repository.
Cybereason researchers identified three variants of the Snake stealer, with the third variant being an executable compiled by PyInstaller. This malware is designed to extract data from different web browsers, including Cốc Cốc, indicating a focus on the Vietnamese community.
The stolen information, which includes credentials and cookies, is then transmitted via the Telegram Bot API in the form of a ZIP archive. Notably, the stealer is equipped to dump cookie information specific to Facebook, suggesting an intention to hijack Facebook accounts for malicious purposes.
The Vietnamese connection is further supported by the naming convention of the GitHub and GitLab repositories, as well as references to the Vietnamese language in the source code.
This development follows a trend of multiple information stealers targeting Facebook cookies, including S1deload Stealer, MrTonyScam, NodeStealer, and VietCredCare. Additionally, Meta (formerly Facebook) has faced criticism in the U.S. for its perceived failure to assist victims of account takeovers, prompting calls for immediate action to address the issue.
Furthermore, threat actors have been observed leveraging a GitHub vulnerability to distribute Lua malware via a cloned game cheat website and SEO poisoning. This malware includes capabilities for command-and-control communications, highlighting the evolving tactics employed by cybercriminals.
