Snake Infostealer Abuses Facebook Messages

Threat actors are utilizing Facebook messages to disseminate a Python-based data-stealing tool named Snake, designed to capture sensitive information and credentials. According to Cybereason researcher Kotaro Ogino, the harvested credentials are sent to various platforms like Discord, GitHub, and Telegram. The campaign details surfaced on social media platform X in August 2023, involving the distribution of apparently harmless RAR or ZIP files. Upon opening, these files trigger an infection sequence.

Snake's Method of Operation

The process includes two intermediary downloaders – a batch script and a cmd script. The latter is responsible for downloading and executing the information stealer from a GitLab repository controlled by the threat actor. Cybereason identified three variants of the stealer, with the third being an executable assembled by PyInstaller. The malware targets data from various web browsers, with a focus on Coc Coc, indicating a potential Vietnamese origin.

The stolen data, consisting of credentials and cookies, is exfiltrated as a ZIP archive through the Telegram Bot API. The stealer is also programmed to extract cookie information specific to Facebook, suggesting an intention to hijack accounts for malicious purposes. The Vietnamese connection is reinforced by the naming convention of GitHub and GitLab repositories and references to the Vietnamese language in the source code.

Ogino pointed out that all variants support the Coc Coc Browser, widely used by the Vietnamese community. Notably, over the past year, several information stealers targeting Facebook cookies have emerged, including S1deload Stealer, MrTonyScam, NodeStealer, and VietCredCare.

This development coincides with Meta facing criticism in the U.S. for not adequately assisting victims of hacked accounts. Calls have been made for Meta to take immediate action in response to a noticeable increase in account takeover incidents.