Beware! Snake Infostealer Targets Facebook Users

Cybereason has identified a new malware variant named Snake, which proliferates through Facebook messages. This Python-written infostealer is designed to pilfer confidential user data.

The stolen data are transmitted across various platforms, including Discord, GitHub, and Telegram. Initial reports of this campaign surfaced on the social network X in August 2023. The attacks involve sending potential victims RAR or ZIP archives, which, upon opening, initiate the infection process.

Subsequently, the procedure involves the use of two loaders – a Batch script and a cmd script. The latter is responsible for downloading and executing the malicious program from the attacker’s repository on GitLab.

Cybereason researchers have uncovered three different variants of this malware: one of which is an executable file compiled using PyInstaller. The info-stealer is crafted to harvest data from various web browsers, including the Vietnamese browser Cốc Cốc, indicating a focus on the Vietnamese audience.

The gathered information, including credentials and cookies, is exported as a ZIP archive via a Telegram bot. The malware is also engineered to steal Facebook cookie information, underscoring the cybercriminal’s intentions to hijack accounts for their purposes.

The connection to the Vietnamese language is further evidenced by the naming conventions of repositories on GitHub and GitLab and the presence of references to the Vietnamese language in the source code. All variants support the Cốc Cốc browser, widely used within the Vietnamese community.