A new information stealer named FFDroider has emerged, stealing credentials and cookies stored in browsers to hijack victims’ social media accounts. Social media accounts, especially verified ones, are an attractive target for hackers as threat actors can use them for various malicious activities, including conducting cryptocurrency scams and distributing malware. These accounts are even more attractive when they have access to the social site’s ad platforms, allowing threat actors to use the stolen credentials to run malicious advertisements.
Researchers at Zscaler have been tracking the new info stealer and its spread and published a detailed technical analysis today based on recent samples. FFDroider is spread through software cracks, free software, games, and other files downloaded from torrent sites. Once launched, the malware will create a Windows registry key named “FFDroider,” which led to the naming of this new malware. FFDroider targets cookies and account credentials stored in Google Chrome (and Chrome-based browsers), Mozilla Firefox, Internet Explorer, and Microsoft Edge. The stealing and decryption results in cleartext usernames and passwords, which are then exfiltrated via an HTTP POST request to the Command-and-Control (C2) server.
Unlike many other password-stealing trojans, FFDroider’s operators aren’t interested in all account credentials stored in the web browsers. Instead, the malware developers are focusing on stealing credentials for social media accounts and eCommerce sites, including Facebook, Instagram, Amazon, eBay, Etsy, Twitter, and the portal for the WAX Cloud wallet. The goal is to steal valid cookies that can be used to authenticate on these platforms, and this is tested on the fly by the malware during the procedure. If the authentication is successful on Facebook, for example, FFDroider fetches all Facebook pages and bookmarks, the number of the victim’s friends, and their account billing and payment information from the Facebook Ads manager. The threat actors may use this information to run fraudulent ad campaigns on the social media platform and promote their malware to a larger audience. If successfully logged in on Instagram, FFDroider will open the account edit web page to grab the account’s email address, mobile phone number, username, password, and other details. This is an interesting aspect of the info stealer’s functionality because it isn’t just trying to grab credentials, but to log in on the platform and steal even more information. After stealing the information and sending everything to the C2, FFDroider focuses on downloading additional modules from its servers at fixed time intervals. Zscaler’s analysts haven’t provided many details about these modules, but a downloader functionality makes the threat even more potent.
To avoid this type of malware, people should stay away from illegal downloads and unknown software sources. As an extra precaution, downloads can be uploaded to VirusTotal to check if antivirus solutions detect it as malware.