Recent reports indicate a wave of attacks targeting Facebook users through malicious messaging tactics. Threat actors are utilizing a Python-based information stealer identified as Snake, which is specifically engineered to capture user credentials and sensitive information.
According to Cybereason researcher Kotaro Ogino, the stolen credentials are sent to various platforms, including Discord, GitHub, and Telegram. The campaign was first noted on X (formerly Twitter) in August 2023, revealing a pattern whereby attackers distribute seemingly benign RAR or ZIP files. Once opened, these files initiate a malicious infection sequence.
The initial stages of this attack leverage two downloaders: a batch script and a CMD script. The latter is responsible for downloading the information stealer from a GitLab repository controlled by the perpetrators. Cybereason’s investigation has uncovered three distinct variants of the stealer, with one being an executable compiled by PyInstaller. These malicious programs are designed to collect data from various web browsers, with particular emphasis on Cốc Cốc, a browser popular in Vietnam, underscoring the geographic focus of this threat.
The exfiltrated data, comprising user credentials and cookies, is packaged into a ZIP file and transmitted via the Telegram Bot API. Importantly, the stealer also targets Facebook-specific cookies, suggesting that the attackers aim to hijack users’ accounts for their malicious objectives. The connection to Vietnam is further supported by the naming conventions of the implicated GitHub and GitLab repositories, along with references to the Vietnamese language within the source code.
This development is alarming in the broader context of escalating threats targeting Facebook users. Over the past year, several information stealers designed to target Facebook cookies have surfaced, including notable names such as S1deload Stealer and MrTonyScam. This surge in sophisticated attacks can be attributed to a disconnect between platform security and emerging threats, a sentiment echoed in the criticism directed at Meta for its inadequate support for victims of account takeovers.
The exploits are compounded by additional findings, indicating that malicious actors are utilizing a cloned gaming cheat website, SEO poisoning, and vulnerabilities within GitHub to deceive potential victims into executing Lua malware. They have leveraged a flaw that permits uploaded files to persist within GitHub repositories, even if the associated issues are not saved.
As these threats continue evolving, it becomes critical for organizations to understand and defend against the tactics outlined in the MITRE ATT&CK framework. Initial access methods, such as the use of malicious attachments, along with persistence techniques through scripts, are clearly evident in these attacks. Business owners must remain vigilant in safeguarding against such intrusion attempts, employing robust cybersecurity measures to mitigate potential risks.
