A new information stealer named FFDroider has emerged, stealing credentials and cookies stored in browsers to hijack victims’ social media accounts.
Social Media accounts, especially verified ones, are an attractive target for hackers as threat actors can use them for various malicious activities, including conducting cryptocurrency scams and distributing malware.
These accounts are even more attractive when they have access to the social site’s ad platforms, allowing threat actors to use the stolen credentials to run malicious advertisements.
Distributed through software cracks
Researchers at Zscaler have been tracking the new info-stealer and its spread and published a detailed technical analysis today based on recent samples.
Like many malware, FFDroider is spread through software cracks, free software, games, and other files downloaded from torrent sites.
When installing these downloads, FFDroider will also be installed, but disguised as the Telegram desktop app to evade detection.
Once launched, the malware will create a Windows registry key named “FFDroider,” which led to the naming of this new malware.
FFDroider adding a registry key on the infected system (Zscaler)
The Zscaler researcher has put together an attack flow chart illustrating how the malware is installed on victims’ devices.
FFDroider’s infection and operational flow (Zscaler)
FFDroid targets cookies and account credentials stored in Google Chrome (and Chrome-based browsers), Mozilla Firefox, Internet Explorer, and Microsoft Edge.
For example, the malware reads and parses the Chromium SQLite cookie and SQLite Credential stores and decrypts the entries by abusing Windows Crypt API, specifically, the CryptUnProtectData function.
The procedure is similar for the other browsers, with functions like InternetGetCookieRxW and IEGet ProtectedMode Cookie abused for snatching all cookies stored in Explorer and Edge.
The malware executing functions to steal Facebook cookies from IE (Zscaler)
The stealing and decryption results in cleartext usernames and passwords, which are then exfiltrated via an HTTP POST request to the C2 server; in this campaign, http[:]//152[.]32[.]228[.]19/seemorebty.
Exfiltration of stolen data via a POST request (Zscaler)
Targeting social media
Unlike many other password-stealing trojans, FFDroid’s operators aren’t interested in all account credentials stored in the web browsers.
Instead, the malware developers are focusing on stealing credentials for social media accounts and eCommerce sites, including Facebook, Instagram, Amazon, eBay, Etsy, Twitter, and the portal for the WAX Cloud wallet.
The goal is to steal valid cookies that can be used to authenticate on these platforms, and this is tested on the fly by the malware during the procedure.
Stealing Facebook cookies from the browser (Zscaler)
If the authentication is successful on Facebook for example, FFDroider fetches all Facebook pages and bookmarks, the number of the victim’s friends, and their account billing and payment information from the Facebook Ads manager.
The threat actors may use this information to run fraudulent ad campaigns on the social media platform and promote their malware to a larger audience.
If successfully logged in on Instagram, FFDroider will open the account edit web page to grab the account’s email address, mobile phone number, username, password, and other details.
Trying out the stolen Instagram cookie (Zscaler)
This is an interesting aspect of the info-stealer’s functionality because it isn’t just trying to grab credentials but to log in on the platform and steal even more information.
After stealing the information and sending everything to the C2, FFDroid focuses on downloading additional modules from its servers at fixed time intervals.
Zscaler’s analysts haven’t provided many details about these modules, but having a downloader functionality makes the threat even more potent.
To avoid this type of malware, people should stay away from illegal downloads and unknown software sources. As an extra precaution, downloads can be uploaded to VirusTotal to check if antivirus solutions detect it as malware.