Socelars
Socelars is a new info-stealer Trojan strain that has been detected by infosec experts to be lurking in the wild. The main goal of the threat is to collect session cookies and additional sensitive Facebook and Amazon data. Although certain characteristics and aspects of its behavior appear to be similar to other information-stealer threats such as AdKoob and Stresspaint, who also had Facebook as a primary target, according to the cybersecurity researcher Vitali Kremez who analyzed the underlying code, Socelars is not a variant of either of them. Instead, the most likely conjecture is that the creators of Socelars were inspired by the other Trojans heavily.
Table of Contents
Socelars Main Target is the Facebook Advertisements Manager
Once able to infiltrate the targeted computer successfully, the Socelars Trojan begins to execute its harmful programming. The first step is to access the Cookies SQLite database, which will allow it to collect cookies from both Chrome and Firefox. With the relevant cookies in hand, Socelars will proceed to the next step - connecting to different Facebook URLs from which additional information will be retrieved. The URLs in question are:
- https://www.facebook.com/bookmarks/pages?ref_type=logout_gear
- https://secure.facebook.com/settings
- https://secure.facebook.com/advertisements/manager/account_settings/account_billing/
The third URL - account_billing, contains data such as the user's account_token and account_ID. Equipped with this information, Socalers will then collect data from the Advertisements Manager settings by leveraging a Facebook Graph API call.
All the collected information, which includes credit/debit card details, PayPal email, cookies, account ids, account tokens, email addresses, spending limits, etc., will be compacted and transmitted to the Command-and-Control (C&C, C2) infrastructure that has been set up bu the hackers.
Socelars Secondary Target is Amazon
Compared to the threatening activity dedicated to the Facebook Advertisements Manager, the functionality dedicated to targeting Amazon appears heavily truncated. Nevertheless, Socelars is capable of collecting Amazon.com and Amazon.co.uk session cookies. Instead of leveraging the acquired data to mine further information, though, Socelars will simply send the cookies to the C&C servers. Keep in mind, however, that having access to the Amazon cookies would allow the hackers to log in as the compromised user.
Socelars may be Propagated by Adware Applications
The Socelars Trojan disguises itself as a fake PDF reader and editing program called 'PDFreader.' The fake application was observed to be delivered from several websites and has its executables signed with a digital certificate issued by Sectigo RSA Code Signing CA to an entity named 'Rakete Content Gmbh.'
As the websites connected to PDFreader appear to be lacking active downloading links, the most likely method employed to distribute the Trojan seems to be through adware bundles. Indeed, researchers from K7 computing reported that an adware family known as Linkury has begun delivering fully-fledged malware threats in addition to the usual browser-hijacker applications. The three detected malware payloads were all for info-stealer Trojans - Glupteba, KPOT Stealer and Socelars.
