Highlights:

  • Their primary objective is to steal credentials and cookies linked with famous social media and e-commerce sites and utilize the stolen data to log into the accounts and steal other accounts’ account-related data
  • These cybercriminals use cracked versions of installers and freeware to distribute FFDroider to steal credentials and other sensitive data.

Cybersecurity researchers have warned of two different data-stealing malware, FFDroider and Lightning Stealer, that can siphon information and launch further attacks.

Avinash Kumar and Niraj Shivtarkar, researchers at Zscaler ThreatLabz, said in a report published last week, “Designed to send stolen credentials and cookies to a Command and amp; Control server, FFDroider disguises itself on victim’s machines to look like the instant messaging application ‘Telegram.’”

As the name suggests, data thieves are equipped to steal sensitive data from compromised systems, like keystrokes, screenshots, files, stored passwords, and cookies from web browsers, which are then sent to a remote attacker-controlled domain.

Cracked versions of installers and freeware are used to distribute FFDroider. The primary objective is to steal credentials and cookies linked with famous social media and e-commerce sites and utilize the stolen data to log into the accounts and steal other accounts’ account-related data.

Google Chrome, Mozilla Firefox, Internet Explorer, and Microsoft Edge are a few of the targeted Web browsers by malware. Facebook, Instagram, Twitter, Amazon, eBay, and Etsy are the primary sites targeted by the cybercriminals.

FFDroider also includes a downloader functionality to keep itself up to date with new modules from an update server that enables it to expand its feature set over time, allowing malicious actors to exploit the stolen information as a vector to gain access to a target.

Lightning stealer executes in the same way. It can steal Discord tokens, information from cryptocurrency wallets, and other data related to cookies, passwords, credit cards, and search history from more than 30 Firefox Chromium-based browsers, all of this is extracted to a server in JSON format.

“Info Stealers are adopting new techniques to become more evasive,” said Cybele researchers. They added that it “witnessed ransomware groups leveraging Info Stealers to gain initial network access and, eventually, exfiltrating sensitive data.”

The recent development has come close on the heels when Stealer malware is increasingly becoming a common incident among various attack campaigns, to fulfill the void left by Racoon Stealer’s exit from the market in late March because of the current war in Ukraine.

In February this year, Cybele Research had revealed the details of an emerging risk called Jester Stealer, which is designed to steal and send login credentials, cookies, credit card data, and information from password managers, chat messengers, email customers, and crypto wallet and gaming apps to the attackers.

Ever since, a minimum of three different data-stealers have emerged in the space, including BlackGuard, Mars Stealer, and META. The last one has been known to be delivered through malspam campaigns to gather sensitive and confidential information.

Expert’s view:

“The stealer signs into victims’ social media platforms using stolen cookies and extracts account information like Facebook Ads-manager to run malicious advertisements with stored payment methods and Instagram via API to steal personal information,” the researchers said.