A windows-based malware tracked as FFDroider is targeting victim’s social media credentials to steal sensitive information including payment details and contact information.

The stolen data is then exfiltrated, whilst using Facebook ad manager, to run malicious adverts leveraging the stored payment information.

Researchers from Threatlabz have identified FFDroider hides itself by masquerading as Telegram, a popular instant messaging application. The malware aims to steal login credentials and authenticated cookies which are sent to the command and control (C2) server and leveraged, through replay attacks, to gain access to social media accounts.

The focus on social media is evident after researchers analysed the malware code and discovered the targeted browsers and platforms, outlined below:

• Google Chrome, Mozilla Firefox, Internet Explorer, Microsoft edge.

• Facebook, Instagram, Amazon, All-access.wax, eBay, Etsy & Twitter.

FFDroider is currently being distributed across multiple campaigns with no specific country targeted and is offered on download sites pretending to be freeware or cracked versions of a paid software.

After being installed the pre-defined browsers are searched for stored login information including saved passwords or login related cookies. Once the threat actor has gained access, personal information is stolen from the accounts, notably any payment information, phone numbers, email addresses and enumeration of friends/followers and bookmarked pages this information is exfiltrated back to the threat actor through their C2 server.

Specifically on Facebook the malware checks “account billing and payment information” to identify if the victim is a business account, if then identified the Facebook ad manager will be levered to show malicious adverts specified by the threat actor. It is highly likely that this is done to steal any stored payment information and to facilitate lateral movement of the malware by pushing advertisement from a credited and trusted business account.

Generally, social media accounts hold vast amounts of personal information and therefore, stolen details are a prime commodity for cyber criminals who can later exploit the data to commit fraud or sell on underground forums.

After installation, FFDroider will create an inbound whitelisting rule within a Windows firewall allowing itself (the infected host) to communicate with the C2 server. Once this communication link has been established, and information is successfully exfiltrated, an attempt to upgrade the malware is made by downloading further modules over several intervals to enhance utility whilst evading detection.

If any suspicious activity as described above has been identified, it is worth navigating to the Zscaler site where Indicators of Compromise can be found to help establish any activity attributed to FFDroider on the network.

The origin of any Telegram applications on a windows machine that the user has not personally installed should be confirmed prior to installation if permitted. The use of multi-factor authentication for all login pages that support it should be promoted.

Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).