Experts have seen developments on a new information-stealing malware dubbed FFDroider that can steal victims’ credentials and cookies stored in their web browsers to hack their social media accounts.
Verified social media accounts are attractive targets for threat actors since they can exploit them in several malicious campaigns, such as cryptocurrency scams and malware propagation. The hackers can also access the stolen social media accounts’ ad platforms, wherein they can run malicious advertisements to perform more cyberattacks.
The new FFDroider malware is propagated through cracked versions of software, video games, and other downloadable torrented files.
As the victims install the torrented software of their choice, the FFDroider malware will also be injected into the computer, disguising it as the Telegram desktop application to bypass security detection. Upon launching the fake Telegram desktop app, the malware will create a Windows registry key named FFDroider.
Inside the compromised machine, the malware will target cookies and account credentials stored in several browsers, such as Google Chrome, Internet Explorer, Mozilla Firefox, and Microsoft Edge. The malware will read and analyse the stored cookies and credentials in the browser and decrypt the entries using Windows Crypt API’s CryptUnProtectData function.
The decrypted data will result in cleartext usernames and passwords that will be exfiltrated through an HTTP POST request to the command-and-control (C2) server.
The malware operators are more interested in stealing social media accounts and e-commerce website credentials found on the victims’ browsers, such as Facebook, Twitter, Instagram, eBay, Amazon, Etsy, and the WAX Cloud wallet portal.
For instance, if the threat actor has successfully authenticated itself on the victims’ Facebook, the malware will collect all the pages, bookmarks, friends list, and account payment details from the platform’s Ads Manager.
Analysts find the malware’s feature interesting since the operators are eager to hack a user’s social media account to steal more information they can exploit to perform further cyberattacks. Social media users, even the unverified ones, are highly advised to avoid illegally downloading files and software from third-party malicious platforms since these are where most hackers reside.