FB Stealer

The FB Stealer family is among the more threatening unwanted browser extension strains. Although it shares several characteristics with more typical adware and browser hijackers, the additional capabilities of the FB Stealer turn it into a legitimate threat. Details about the infection chain and functions of FB Stealer were released by security researchers in a SecureList report.

According to their findings, the operators of the FB Stealer applications do not utilize the common PUP (Potentially Unwanted Program) distribution tactics designed to mask the fact that an intrusive application will be delivered to the user's device. Instead, applications of this family are dropped on the infected systems via a Trojan tracked as NullMixer. The Trojan could be injected into cracked installers for popular software products, such as SolarWinds Broadband Engineers Edition.

Once NullMixer is activated, it will copy the files of the FB Stealer extension into the %AppData%\Local\Google\Chrome\User Data\Default\Extensions location. The Trojan also will modify Chrome's Secure Preferences file, which is tasked with containing important Chrome settings and extensions' information. As a result, the threatening FB Stealer application will appear as a typical Google Translate extension.

After it is executed, the FB Stealer changes the default search engine, with the new address being ctcodeinfo.com. In addition to the risks caused by having their searches redirected to an unfamiliar address, victims also may have their Facebook login credentials compromised. The FB Stealer is capable of extracting Facebook session cookies and transmitting them to a server under the control of its operators. The threat actors can then abuse the cookies to successfully log in and take over the victim's account. The attackers could then perform various fraudulent activities, such as spreading disinformation, tricking the victim's contacts to send money, distributing corrupted links and more.