Posted on April 13, 2022 at 9:00 AM

New FFDroider Now Targets Social Media Usernames and Passwords

A recent report by cybersecurity researchers at Zscaler revealed that hackers are trying to steal passwords for social media accounts using a Windows malware dubbed FFDroider. Apart from passwords, the researchers also noted that the malware can also steal cookies from infected Windows computers.

FFDroider is built mainly to steal login details of social media websites, including Twitter, Instagram, and Facebook. Additionally, it can steal passwords for eBay, Etsy, and Amazon accounts. The malware is also capable of stealing cookies from Mozilla Firefox, Google Chrome, Microsoft Edge, and Internet Explorer browsers.

Once the hackers have succeeded in stealing the login credentials and other details, they can be used to steal personal information, control accounts, as well as commit fraud against victims. Also, the information can be used by threat actors to hack other accounts if the user shares the same login credentials with other accounts.

Verified social media accounts are usually attractive targets for threat actors that can use them to carry out various malicious activities, including the distribution of malware and cryptocurrency scams.

The accounts become more appealing to the hackers when they have access to ad platforms of social media sites, allowing the threat actors to run malicious advertisements using the stolen credentials.

The Malware Is Distributed Via Software Cracks

The Zscaler researchers have revealed that the new info stealer is distributed through software cracks. The researchers have been tracking the malware and how it is being distributed. Based on the detailed technical analysis of the researchers, the FFDrooiler malware functions or acts like much other malware, as it is spread through games, free software, software cracks, and other files downloaded from torrent sites.

Any user that installs a file containing the malware will automatically install it to their system without knowing. It is usually disguised as a Telegram desktop escape detection.

Once the malware is launched, it creates a Windows registry key dubbed “FFDroider,” which is how it derives its name. to explain clearly how the malware is distributed and how it infects systems, the researchers a flow chart for illustrations.

The malware reads and parses the Chromium SQLite credentials and SQLite cookie stores before. According to Zscaler, the method is similar to the other web browsers, with functions such as IEGet ProtectedMode and  InternetGetCookieRxW Cookie abused for snatching all cookies stored in Edge and Explorer.

The stealing and decrypting leads to cleartext usernames and passwords usually exfiltrated to the C2 server of the hacker through HTTP Post request. All these are carried out in secrecy without the user of the installed security software on the system detecting any unusual activity.

The Malware Is Specifically Designed To Target Social Media Accounts

The FFDroid is slightly different from many other password-stealing Trojans. While other malware can go for all account credentials stored in the web browsers, the FFDroid trojan has specific goals and targets.

The malware developers concentrate on stealing credentials on eCommerce sites and social media accounts. The main target is to steal valid cookies that can be utilized for the authentication on the platform, while the malware tests them during the procedure.

For example, if the authentication is successful on Facebook, FFDroider collects all Facebook pages and bookmarks, their payment and account billing information, and the number of friends on the victim’s account from the Facebook Ads manager. Once they get this information, the hackers may use it to carry out malicious ad campaigns on the social media platform to have the opportunity to distribute their malware to a larger audience.

People Should Avoid Downloads Of Illegal Software

The hackers usually go for social media influencers or people with verified accounts to give them a strong platform to carry out their malicious activities.

But when they log in successfully on Instagram, the malware is used to open the account and edit the web page to exfiltrate the account’s mobile phone number, email address, username, password, and other important details.

After successfully stealing the information and sending it to the control server, FFDroid enters into another stage of stealing more information. The malware now concentrates on downloading more modules from the servers at specific time intervals. Although the researchers did not provide more details about the modules, the additional downloader capability makes the malware even more dangerous. As a result, the researchers have warned people to avoid unknown software sources as well as illegal software downloads to become a victim of this type of malware.