Facebook messages have become a vector for distributing a Python-based information stealer known as Snake, designed to capture sensitive data and credentials. According to the researcher’s report, the stolen credentials are transmitted to various platforms such as Discord, GitHub, and Telegram.
The campaign, first noticed on the social media platform X in August 2023, involves sending seemingly harmless RAR or ZIP archive files to potential victims. Upon opening, these files trigger the infection sequence. The attack involves two downloaders in intermediate stages – a batch script and a cmd script. The cmd script is responsible for downloading and executing the information stealer from an actor-controlled GitLab repository.
The researcher has identified three variants of the stealer, with the third being an executable assembled by PyInstaller. The malware targets data from different web browsers, including Cốc Cốc, indicating a focus on Vietnamese users.
The stolen information, including credentials and cookies, is exfiltrated in the form of a ZIP archive via the Telegram Bot API. The stealer is also programmed to extract cookie information specific to Facebook, suggesting an intent to hijack accounts for malicious purposes.
The Vietnamese connection is further supported by the naming conventions of GitHub and GitLab repositories, as well as references to the Vietnamese language in the source code. “All of the variants support Cốc Cốc Browser, which is a well-known Vietnamese Browser used widely by the Vietnamese community,” the researcher explained.
In the past year, several information stealers targeting Facebook cookies have emerged, including S1deload Stealer, MrTonyScam, NodeStealer, and VietCredCare. This discovery coincides with Meta facing criticism in the U.S. for its failure to assist victims of hacked accounts, prompting calls for immediate action to address a significant increase in account takeover incidents.
Furthermore, threat actors have been found “using a cloned game cheat website, SEO poisoning, and a bug in GitHub to trick would-be-game-hackers into running Lua malware,” as reported.
The malware operators exploit a GitHub vulnerability that allows uploaded files associated with an issue on a repository to persist, even if the issue is not saved.
“This means that anyone can upload a file to any git repository on GitHub, and not leave any trace that the file exists except for the direct link,” the researchers explained, highlighting the malware’s capabilities for command-and-control (C2) communications.
To protect against Snake and similar threats spread through Facebook messages, it’s essential to exercise caution when opening attachments or clicking on links, even if they appear to be from trusted sources. Be wary of messages that prompt you to download files, especially RAR or ZIP archives, as they could contain malware. Keep your software and applications updated to protect against known vulnerabilities that malware may exploit. Finally, regularly monitor your accounts for any suspicious activity and report any potential phishing attempts to the platform’s security team.
