Facebook, Instagram, Twitter accounts are stolen by new FFDroider malware
FFDroider is a new information thief that hijacks victims' social media accounts by collecting passwords and cookies saved in browsers.
Hackers are attracted to social media accounts, particularly verified ones, since threat actors can exploit them for a variety of nefarious activities, including cryptocurrency scams and malware distribution. When these accounts have access to the social site's ad systems, threat actors can utilize the stolen credentials to run malicious advertisements.
Distributed through software cracks
Zscaler researchers have been monitoring the new info-spread stealer's and have provided a detailed technical analysis based on recent samples today.
FFDroider is propagated through software cracks, free software, games, and other files obtained through torrent sites, as is the case with most malware. FFDroider will be installed alongside these downloads, but it will be disguised as the Telegram desktop software to avoid detection. The malware will produce a Windows registry key named "FFDroider" after it is launched, which is how this new malware got its name.
The Zscaler researcher has put together an attack flow chart depicting how the malware is installed on victims' devices.
FFDroid targets cookies and account credentials stored in Google Chrome (and Chrome-based browsers), Mozilla Firefox, Internet Explorer, and Microsoft Edge.
For example, the malware reads and parses the Chromium SQLite cookie and SQLite Credential stores and decrypts the entries by abusing Windows Crypt API, specifically, the CryptUnProtectData function.
The procedure is similar for the other browsers, with functions like InternetGetCookieRxW and IEGet ProtectedMode Cookie abused for snatching all cookies stored in Explorer and Edge.
The stealing and decryption results in cleartext usernames and passwords, which are then exfiltrated via an HTTP POST request to the C2 server; in this campaign, http[:]//152[.]32[.]228[.]19/seemorebty.
Targeting social media
Unlike many other password-stealing trojans, FFDroid's operators aren't interested in all account credentials stored in the web browsers.
Instead, the malware developers are focusing on stealing credentials for social media accounts and eCommerce sites, including Facebook, Instagram, Amazon, eBay, Etsy, Twitter, and the portal for the WAX Cloud wallet.
The goal is to steal valid cookies that can be used to authenticate on these platforms, and this is tested on the fly by the malware during the procedure.
If the authentication is successful on Facebook for example, FFDroider fetches all Facebook pages and bookmarks, the number of the victim's friends, and their account billing and payment information from the Facebook Ads manager.
The threat actors may use this information to run fraudulent ad campaigns on the social media platform and promote their malware to a larger audience.
If successfully logged in on Instagram, FFDroider will open the account edit web page to grab the account's email address, mobile phone number, username, password, and other details.
This is an interesting aspect of the info-stealer's functionality because it isn't just trying to grab credentials but to log in on the platform and steal even more information.
After stealing the information and sending everything to the C2, FFDroid focuses on downloading additional modules from its servers at fixed time intervals.
Zscaler's analysts haven't provided many details about these modules, but having a downloader functionality makes the threat even more potent.
To avoid this type of malware, people should stay away from illegal downloads and unknown software sources. As an extra precaution, downloads can be uploaded to VirusTotal to check if antivirus solutions detect it as malware.
Source: BleepingComputer
Bạn cũng có thể quan tâm
John&Partners, LLC. Cybersecurity
7443 Brompton, Houston, Texas 77025 , USA