New Python-Based Snake Info Stealer Spreading Through Facebook Messages
Threat actors are using Facebook messaging to access Snake, a Python-based information stealer that is intended to get sensitive information, including passwords.
According to a technical analysis by Cybereason researcher Kotaro Ogino, “the credentials harvested from unsuspecting users are transmitted to different platforms such as Discord, GitHub, and Telegram.”
In August 2023, information of the campaign initially surfaced on the social media network X. Attackers transmit apparently innocent RAR or ZIP archive files to potential victims, which, when opened, start the infection process.
Two downloaders are used in the intermediate stages: a batch script and a cmd script. The latter is in charge of downloading and running the information stealer from a GitLab repository under the control of the actor.
A U.S. court mandates that NSO Group provide WhatsApp with the Pegasus spyware code.
Cybereason claimed to have found three distinct stealer variations, the third of which was an executable PyInstaller had put together. The virus, on the other hand, seems to have a Vietnamese emphasis since it is made to collect information from several web browsers, including Cốc Cốc.
Using the Telegram Bot API, the gathered data—which includes cookies and credentials—is then exfiltrated in a ZIP archive. Additionally, the stealer is made to spill Facebook-specific cookie data, a clue that the threat actor most likely intends to take control of the accounts for their own gain.
The GitHub and GitLab repository names, as well as the fact that the source code includes references to Vietnamese, further support the Vietnamese link.
“All of the variants support Cốc Cốc Browser, which is a well known Vietnamese Browser used widely by the Vietnamese community,” Ogino said.
A number of information thieves that target Facebook cookies have surfaced in the open over the last year, including S1deload Stealer, MrTonyScam, NodeStealer, and VietCredCare.
This development coincides with calls in the United States for Meta to act immediately to address a “dramatic and persistent spike” in account takeover instances after the firm was found to be negligent in helping victims of hijacked accounts.
It also comes after OALABS Research found that threat actors are tricking would-be game hackers into executing Lua malware by “using a cloned game cheat website, SEO poisoning, and a bug in GitHub.”
The malware operators are specifically taking advantage of a GitHub weakness that permits an uploaded file linked to a problem on a repository to endure even in situations when the problem is never saved.
The researchers said that “this means that anyone can upload a file to any git repository on GitHub, and not leave any trace that the file exists except for the direct link,” adding that the virus has the ability to communicate via command-and-control (C2).