Mar 07, 2024NewsroomVulnerability / Information Stealer

Facebook messages are being used by threat actors to a Python-based information stealer dubbed Snake that’s designed to capture credentials and other sensitive data.

“The credentials harvested from unsuspecting users are transmitted to different platforms such as Discord, GitHub, and Telegram,” Cybereason researcher Kotaro Ogino said in a technical report.

Details about the campaign first emerged on the social media platform X in August 2023. The attacks entail sending prospective users seemingly innocuous RAR or ZIP archive files that, upon opening, activate the infection sequence.

The intermediate stages involve two downloaders – a batch script and a cmd script – with the latter responsible for downloading and executing the information stealer from an actor-controlled GitLab repository.

Cybereason said it detected three different variants of the stealer, the third one being an executable assembled by PyInstaller. The malware, for its part, is designed to gather data from different web browsers, including Cốc Cốc, suggesting a Vietnamese focus.

The collected information, which comprises credentials and cookies, is then exfiltrated in the form of a ZIP archive via the Telegram Bot API. The stealer is also designed to dump cookie information specific to Facebook, an indication that the threat actor is likely looking to hijack the accounts for their own purposes.

The Vietnamese connection is further bolstered by the naming convention of the GitHub and GitLab repositories and the fact that the source code contains references to the Vietnamese language.

“All of the variants support Cốc Cốc Browser, which is a well known Vietnamese Browser used widely by the Vietnamese community,” Ogino said.

Over the past year, multiple information stealers targeting Facebook cookies have appeared in the wild, counting S1deload Stealer, MrTonyScam, NodeStealer, and VietCredCare.

The development comes as Meta has come under criticism in the U.S. for failing to assist victims whose accounts have been hacked into, calling on the company to take immediate action to address a “dramatic and persistent spike” in account takeover incidents.

It also follows a discovery that threat actors are “using a cloned game cheat website, SEO poisoning, and a bug in GitHub to trick would-be-game-hackers into running Lua malware,” according to OALABS Research.

Specifically, the malware operators are leveraging a GitHub vulnerability that allows an uploaded file associated with an issue on a repository to persist even in scenarios where the issue is never saved.

“This means that anyone can upload a file to any git repository on GitHub, and not leave any trace that the file exists except for the direct link,” the researchers said, adding the malware comes fitted with capabilities for command-and-control (C2) communications.

Jan 11, 2024NewsroomCloud Security / Cyber Attacks

A new Python-based hacking tool called FBot has been uncovered targeting web servers, cloud services, content management systems (CMS), and SaaS platforms such as Amazon Web Services (AWS), Microsoft 365, PayPal, Sendgrid, and Twilio.

“Key features include credential harvesting for spamming attacks, AWS account hijacking tools, and functions to enable attacks against PayPal and various SaaS accounts,” SentinelOne security researcher Alex Delamotte said in a report shared with The Hacker News.

FBot is the latest addition to the list of cloud hacking tools like AlienFox, GreenBot (aka Maintance), Legion, and Predator, the latter four of which share code-level overlaps with AndroxGh0st.

SentinelOne described FBot as “related but distinct from these families,” owing to the fact that it does not reference any source code from AndroxGh0st, although it exhibits similarities with Legion, which first came to light last year.

The end goal of the tool is to hijack cloud, SaaS, and web services as well as harvest credentials to obtain initial access and monetize it by selling the access to other actors.

FBot, in addition to generating API keys for AWS and Sendgrid, packs an assortment of features to generate random IP addresses, run reverse IP scanners, and even validate PayPal accounts and the email addresses associated with those accounts.

“The script initiates the Paypal API request via the website hxxps://www.robertkalinkin.com/index.php, which is a Lithuanian fashion designer’s retail sales website,” Delamotte noted. “Interestingly, all identified FBot samples use this website to authenticate the Paypal API requests, and several Legion Stealer samples do as well.”

On top of that, FBot packs in AWS-specific features to check for AWS Simple Email Service (SES) email configuration details and determine the targeted account’s EC2 service quotas. The Twilio-related functionality, likewise, is utilized to gather specifics about the account, namely the balance, currency, and phone numbers connected to the account.

The features don’t end there, for the malware is also capable of extracting credentials from Laravel environment files.

The cybersecurity firm said it uncovered samples starting from July 2022 to as recently as this month, suggesting that it is being actively used in the wild. That said, it’s currently not known if the tool is actively maintained and how it’s distributed to other players.

“We found indications that FBot is the product of private development work, so contemporary builds may be distributed through a smaller scale operation,” Delamotte said.

“This aligns with the theme of cloud attack tools being bespoke ‘private bots’ tailored for the individual buyer, which is a theme prevalent among AlienFox builds.”