FFDroider is a new information thief that hijacks users’ social media accounts by collecting passwords and cookies saved in browsers.
Hackers are attracted to social media accounts, particularly verified ones, since threat actors may exploit them for a variety of nefarious activities, including bitcoin frauds and malware distribution.
When these accounts have access to the social site’s ad platforms, threat actors can use the stolen credentials to run malicious ads.
Cracked software is used to spread the virus.
Zscaler researchers have been monitoring the new info-spread stealer’s and have provided a thorough technical analysis based on recent samples today.
FFDroider is propagated through software cracks, free software, games, and other things obtained through torrent sites, as is the case with most malware.
FFDroider will be installed alongside these files, but it will be disguised as the Telegram desktop software to avoid detection.
The virus will produce a Windows registry entry entitled “FFDroider” after it is activated, which is how this new spyware got its name.
The Zscaler researcher has created an attack flowchart that shows how the virus is placed on the devices of victims.
Google Chrome (and Chrome-based browsers), Mozilla Firefox, Internet Explorer, and Microsoft Edge are all targets for FFDroid.
For example, the malware reads and parses the Chromium SQLite cookie and SQLite Credential stores, then decrypts the contents using the CryptUnProtectData function of the Windows Crypt API.
The process is identical in other browsers, with capabilities like InternetGetCookieRxW and IEGet ProtectedMode Cookie being exploited to grab all cookies saved in Explorer and Edge.
The theft and decryption provide cleartext usernames and passwords, which are then sent to the C2 server using an HTTP POST request; in this case, http[:]//152[.]32[.]228[.]19/seemorebty.
Using social media as a tool
The operators of FFDroid, unlike many other password-stealing trojans, aren’t interested in all account details saved in web browsers.
Instead, the virus creators are concentrating their efforts on obtaining credentials for social networking accounts and eCommerce sites such as Facebook, Instagram, Amazon, eBay, Etsy, Twitter, and the WAX Cloud wallet portal.
The purpose is to steal legitimate cookies that can be used to authenticate on various platforms, and the malware checks this on the fly as part of the procedure.
FFDroider obtains all Facebook pages and bookmarks, the number of the victim’s friends, and their account billing and payment information from the Facebook Ads manager if the authentication is successful on Facebook, for example.
Threat actors may utilize this information to execute deceptive ad campaigns on social media platforms in order to spread their infection to a bigger audience.
FFDroider will open the account edit web page after successfully logging in to Instagram, grabbing the account’s email address, mobile phone number, username, password, and other information.
This is an intriguing feature of the info-capabilities stealer’s because it isn’t just attempting to steal credentials, but also attempting to log in to the platform and steal even more data.
FFDroid concentrates on downloading additional modules from its servers at predetermined time intervals after stealing the information and transmitting everything to the C2.
The analysts at Zscaler haven’t revealed much about these modules, but the addition of a downloader makes the threat even more dangerous.
People should avoid unauthorized downloads and unknown software sources to avoid this form of infection. Downloads can be uploaded to VirusTotal as an extra precaution to see if antivirus software detects them as malware.
