A message in Facebook Messenger encourages victims to download RAR or ZIP files infected with this virus.
If Facebook Messenger is today one of the most popular instant messaging services, it is also very popular with hackers who take advantage of the vulnerability of some people to spread viruses and other malware.
This is the case with Python Infostealer, an information stealer designed to capture credentials and other personal data stored on its victims’ machines and accounts.
An attack organized in 2 stages and 3 variants
Details of the attack were first revealed on X.com (formerly Twitter) in August 2023. They involve sending seemingly harmless RAR or ZIP archive files to potential users via private messages on the platform. They appear to target business leaders by informing them of false complaints, inviting them to download these files.
Except that once opened, these files activate the infection sequence. The intermediate steps involve two downloaders – a batch script and a cmd script – the latter of which is responsible for downloading and running the infostealer from an actor-controlled GitLab repository.
In a very detailed report, Cybereason detected three different variants of the thief, the third being an executable assembled by PyInstaller. The malware is designed to collect data from different web browsers, including Vietnamese Cốc Cốc, which directs the Asian target of the attacks.
Facebook: favorite playground of infostealers
The information thus collected, which includes identifiers and cookies, is then exfiltrated in the form of a ZIP archive via the Telegram Bot API. The thief is also designed to dump information from Facebook-specific cookies, indicating a desire to hack these accounts for ransomware or identity theft.
The Vietnamese connection is further strengthened by the naming convention of the GitHub and GitLab repositories and the fact that the source code contains references to the Vietnamese language. This is what Kotaro Ogino, researcher at Cybereason, says. “ All variants support Cốc Cốc browser, which is a well-known Vietnamese browser and widely used by the Vietnamese community “.
Over the past year, several information stealers targeting Facebook cookies have appeared in the wild, including S1deload Stealer, MrTonyScam, NodeStealer, and VietCredCare. The development comes as Meta has been criticized in the US for failing to help victims whose accounts were hacked, calling on the company to take immediate action to deal with a ” dramatic and persistent increase » incidents of account hacking.
Source : CyberReason
0