Credential-stealing malware disguises itself as Telegram, targets social media users

Credit to Author: Pieter Arntz| Date: Mon, 11 Apr 2022 14:14:23 +0000

A credential-stealing Windows-based malware, Spyware.FFDroider, is after social media credentials and cookies, according to researchers at ThreatLabz.

The version analyzed by the researchers was packed with Aspack. The spyware is offered on download sites pretending to be installers for freeware and cracked versions of paid software. The analyzed version of Spyware.FFDroider disguises itself on victim’s machines to look like the instant messaging application “Telegram”. Several campaigns were found to push out this spyware, but all of them were easily connected by the malicious program embedded in the cracked versions of installers, and freeware.

Browsers

After checking the IP of the affected machine by querying the legitimate service at iplogger.org, Spyware.FFDroider starts its cookies and credentials stealing routine. It uses specific methods for each browser to exfiltrate the data stored in the target browsers:

  • Google Chrome
  • Mozilla Firefox
  • Internet Explorer
  • Microsoft Edge

The target websites it looks for are:

  • www.facebook.com
  • www.instagram.com
  • www.amazon.ca/cn/eg/fr/de/in/it/co.jp/nl/pl/sa/sg/es/se/ae/co.uk/com/com.au/com.br/mx/tr
  • www.all-access.wax.io
  • www.ebay.com
  • www.etsy.com
  • www.twitter.com

The malware also plans to steal saved VPN/dial up credentials from the AppdataMicrosoftNetworkConnectionsPbkrasphone.pbk and Pbkrasphone.pbk phonebooks if present.

Social media

For Facebook and Instagram, the stealer has another trick up its sleeve. If the malware manages to grab cookies for facebook.com or instagram.com from any of the target browsers, the cookies are replayed on the social media platforms.

First, the malware checks whether it is able to authenticate using the stolen cookies. If the cookies are valid and provide proper authentication, it sends a GET /settings request using the Access Token to facebook.com along with the authenticated cookies so it can fetch the User Account settings of the compromised account.

Next, it checks whether the compromised account is a business account and has access to Facebook Ads Manager and fetches the following details using the stolen cookies by parsing the responses:

  • Fetch Account Billing and Payment Information from the Facebook Ads Manager.
  • Fetch the users’ Facebook pages and bookmarks.
  • Enumerate the number of Facebook friends and other user related information.

Since all the stolen information is sent to a command and control (C&C) server, it is likely that this information will be leveraged later to run malicious advertisements from the victims’ account and use the compromised account’s payment method to spread the malware further.

In a very similar way, Spyware.FFDroider looks for valid session cookies for Instagram to exfiltrate personal information such as the email address, the Instagram userID, the saved password, and the phone number from the Instagram account edit webpage and send it to the C&C server.

Other functionality

Spyware.FFDroider creates an inbound whitelisting rule in the Windows Firewall to allow itself to communicate, which requires administrative privileges. This will enable normally disallowed connections to the affected system.

After stealing and sending the stolen details from the target browsers and websites to the C&C server, Spyware.FFDroider tries to upgrade itself by downloading other modules from an update server.

If the filename at the time of execution is renamed to test.exe then the malware goes into its debug state and pops up messages on every loop. It then prints out the stolen cookies and the results which are created to be sent to the C&C holding the information collected from each targeted browser for the target websites. The debug state is very likely what the malware authors used to check the malware’s functionality during development.

IOCs

Files and folders:

The malware creates a directory in %UserProfile%Documents named VlcpVideov1.01

In this folder it drops the file:

Install.exe

The malware is hosted online as:

vinmall880.exe

vinmall1.exe

lilay.exe

SHA256 hashes:

3596982adf10806e7128f8f64621ec7546f4c56e445010523a1a5a584254f786

7eb7bd960e43164184e41cdacf847394a5aa8b7bce357d65683bc641eef3381b

94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474

d7e81d5c26a9ff81d44ff842694b1a8732211e21ac32a471641c4277c1927ca5

All detected by Malwarebytes as Spyware.FFDroider

Malwarebytes blocks Spyware.FFDroider

Subdomain:

download.studymathlive.com

Malwarebytes blocks the subdomain download.studymathlive.com

IPs:

C2: http://152.32.228.19/seemorebty

Update server: http://186.2.171.17/seemorebtu/poe.php?e=<filename>

Malwarebytes blocks the IP 186.1.171.17

Registry key:

HKCUSoftwareffdroiderFFDroider

Stay safe, everyone!

The post Credential-stealing malware disguises itself as Telegram, targets social media users appeared first on Malwarebytes Labs.

https://blog.malwarebytes.com/feed/