A new threat has emerged targeting unsuspecting Facebook users. Dubbed “Snake,” this Python-based information stealer is engineered to infiltrate systems and capture sensitive data through Facebook messages.
Python-based Snake Info Stealer Variants in the Wild
According to Cybereason researcher Kotaro Ogino, Snake operates by luring victims into opening seemingly harmless RAR or ZIP archive files. Once activated, these files initiate a complex infection sequence, orchestrated in stages to conceal its malicious intent.
The attack campaign, initially detected on the social media platform X in August 2023, employs two downloaders – a batch script and a cmd script – with the latter facilitating the download and execution of the information stealer from an actor-controlled GitLab repository.
Cybereason has identified three variants of Snake, the latest being an executable compiled using PyInstaller. Notably, the malware is configured to target various web browsers, with a particular focus on Cốc Cốc, suggesting a Vietnamese connection.
The harvested credentials and sensitive information are then transmitted to different platforms such as Discord, GitHub, and Telegram, utilizing the Telegram Bot API to exfiltrate data in the form of a ZIP archive. Of concern is the stealer’s capability to extract Facebook-specific cookie information, indicating a motive to hijack user accounts.
The Vietnamese influence is evident not only in the targeted browser but also in the naming conventions of the actor-controlled repositories and the presence of Vietnamese language references within the source code.
Is Meta Capable of Protecting Its Users?
Snake joins a concerning trend of information stealers aimed at compromising Facebook accounts, including S1deload Stealer, MrTonyScam, NodeStealer, and VietCredCare. This surge in malicious activity raises questions about Meta’s ability to protect its users, especially amidst mounting criticism for its handling of account takeover incidents.
In parallel, threat actors continue to exploit vulnerabilities in popular platforms, as evidenced by recent findings from OALABS Research. By leveraging a GitHub vulnerability and employing SEO poisoning tactics, malicious actors deceive unsuspecting users into executing Lua malware, equipped with sophisticated command-and-control capabilities.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: