Threat actors have initiated a campaign leveraging Facebook messages to disseminate Snake, a Python-based information stealer, aimed at capturing credentials and sensitive data. Cybereason researchers have disclosed the intricacies of this malware, highlighting its transmission methods across platforms like Discord, GitHub, and Telegram. The attack, first observed on social media platform X in August 2023, involves sending seemingly benign RAR or ZIP archive files that activate the infection sequence upon opening.
The intermediate stages of the attack encompass two downloaders – a batch script and a cmd script – with the latter being responsible for downloading and executing the information stealer from a GitLab repository controlled by the threat actors. Cybereason has identified three distinct variants of the stealer, with the latest one being an executable created by PyInstaller. Notably, the malware targets various web browsers, including Cốc Cốc, hinting at a focus on Vietnamese users.
Following data collection, which includes credentials and cookies, the stolen information is exfiltrated via the Telegram Bot API in the form of a ZIP archive. Additionally, Snake is designed to extract Facebook-specific cookie information, suggesting an intent to hijack user accounts. The connection to Vietnam is further solidified by the naming conventions of the GitHub and GitLab repositories, as well as references to the Vietnamese language within the source code.
