Cybersecurity researchers from Zscaler have discovered a new malware called FFDroider, which is capable of stealing credentials and cookies stored in browsers to hack victims’ social media accounts.
Like many malicious programs, FFDroider is distributed through “hackers” of legitimate software, free programs, games and other files downloaded from torrent sites. When installing programs on the system, FFDroider disguised as a Telegram messenger also appears. After launching, the malware creates a Windows registry key named FFDroider.
FFDroid targets cookies and credentials stored in Google Chrome (and Chrome-based browsers), Mozilla Firefox, Internet Explorer, and Microsoft Edge. For example, malware reads and analyzes the Chromium SQLite cookie, and SQLite Credential, stores and decrypts records using the Windows Crypt API, in particular, the CryptUnprotectData function. The procedure is similar for other browsers with features such as InternetGetCookieRxW and IEGet ProtectedMode Cookies, which are used to capture all cookies stored in Explorer and Edge. Usernames and passwords are transmitted in clear form via an HTTP POST request to the command server of the malware operators.
Unlike many other infostilers, FFDroid operators are not interested in the credentials of all accounts in browsers. Facebook Instagram, Amazon, eBay, Etsy, Twitter, and WAX Cloud are all targeted by cybercriminals for stealing account credentials on social media and e-commerce sites. The stolen data can be used to launch fraudulent advertising campaigns on social networks and promote their malware to a wider audience.
After stealing information and sending everything to the command server, FFDroid focuses on downloading additional modules from its servers at fixed intervals. Zscaler analysts did not provide details about these modules, but the presence of the loader function makes the malware even more dangerous.