Facebook messages hijacked to steal personal information and details
New research has found that threat actors are using Facebook posts to deploy a sophisticated Python-based infostealer known as Snake.
Researchers at Cyberason have shared details of the attack, indicating that Snake’s primary goal is to obtain sensitive data and credentials from unsuspecting users.
It appears that this is a relatively new campaign, first exposed on X in August 2023, and shows bias towards Vietnamese victims.
Facebook info stealer targeting Vietnamese users
The attack uses seemingly harmless RAR or ZIP files, which, once opened, cause a series of infections involving two additional downloaders: a batch script and a cmd script. The cmd script is responsible for running the Snake infostealer from an actor-controlled GitLab repository.
Cybereason has identified three different variants of the Snake infostealer – the third is an executable compiled by PyInstaller and targets users of the Coc Coc browser, suggesting a specific focus on Vietnamese users.
Once collected, login credentials and cookies are shared across numerous platforms, including Discord, GitHub, and Telegram.
The malware also targets Facebook accounts by extracting cookie information, which could indicate account hijacking, possibly for malicious purposes.
The connection with Vietnam is further strengthened by the naming conventions of the actor-controlled repositories, which reportedly refer to the Vietnamese language in the source code.
Cybereason also noted that the malware targets other browsers used worldwide, including Brave, Chromium, Google Chrome Browser, Microsoft Edge, Mozilla Firefox and Opera Web Browser.
The discovery comes amid increasing scrutiny of Facebook over its alleged failure to help victims of account takeovers.
Ny Breaking has asked Meta to share information on how users can improve their protection against such attacks, and whether the company has plans to prevent future attacks. In the meantime, users can follow best practices to protect their accounts, including using complex passwords and two-factor authentication (2FA).