Snake Infostealer

Threat actors are utilizing Facebook messages to disseminate a Python-based information stealer known as Snake. This malicious tool is crafted to capture sensitive data, including credentials. The pilfered credentials are subsequently transmitted to various platforms, such as Discord, GitHub and Telegram.

Details regarding this campaign initially surfaced on the social media platform X in August 2023. The modus operandi involves sending potentially harmless RAR or ZIP archive files to unsuspecting victims. Upon opening these files, the infection sequence is triggered. The process comprises two intermediary stages employing downloaders – a batch script and a cmd script. The latter is responsible for fetching and executing the information stealer from a GitLab repository controlled by the threat actor.

Several Versions of the Snake Infostealer Unearthed by Researchers

Security experts have identified three distinct versions of the information stealer, with the third variant compiled as an executable through PyInstaller. Notably, the malware is tailored to extract data from various Web browsers, including Cốc Cốc, implying a focus on Vietnamese targets.

The gathered data, encompassing both credentials and cookies, is subsequently transmitted in the form of a ZIP archive using the Telegram Bot API. Additionally, the stealer is configured to specifically extract cookie information linked to Facebook, suggesting an intent to compromise and manipulate user accounts for malicious purposes.

The Vietnamese connection is further evidenced by the naming conventions of the GitHub and GitLab repositories, along with explicit references to the Vietnamese language in the source code. It's worth noting that all variants of the stealer are compatible with the Cốc Cốc Browser, a widely used Web browser within the Vietnamese community.

Threat Actors Continue to Exploit Legitimate Services for Their Purposes

In the past year, a series of information stealers targeting Facebook cookies have surfaced, including the S1deload Stealer, MrTonyScam, NodeStealer and VietCredCare.

This trend coincides with increased scrutiny of Meta in the U.S., where the company has faced criticism for its perceived failure to aid victims of hacked accounts. Calls have been made for Meta to address the rising and persistent incidents of account takeovers promptly.

In addition to these concerns, it has been discovered that threat actors are employing various tactics, such as a cloned game cheat website, SEO poisoning, and a GitHub bug, to deceive potential game hackers into executing Lua malware. Notably, the malware operators exploit a GitHub vulnerability that allows an uploaded file associated with an issue on a repository to persist, even if the issue is not saved.

This implies that individuals can upload a file to any GitHub repository without leaving a trace, except for the direct link. The malware is equipped with Command-and-Control (C2) communication capabilities, adding another layer of sophistication to these threatening activities.