The version analyzed by the researchers was packed with Aspack. The spyware is offered on download sites pretending to be installers for freeware and cracked versions of paid software. The analyzed version of Spyware.FFDroider disguises itself on victim’s machines to look like the instant messaging application “Telegram”. Several campaigns were found to push out this spyware, but all of them were easily connected by the malicious program embedded in the cracked versions of installers, and freeware.
After checking the IP of the affected machine by querying the legitimate service at iplogger.org, Spyware.FFDroider starts its cookies and credentials stealing routine. It uses specific methods for each browser to exfiltrate the data stored in the target browsers:
- Google Chrome
- Mozilla Firefox
- Internet Explorer
- Microsoft Edge
The target websites it looks for are:
The malware also plans to steal saved VPN/dial up credentials from the \Appdata\Microsoft\Network\Connections\Pbk\rasphone.pbk and \Pbk\rasphone.pbk phonebooks if present.
For Facebook and Instagram, the stealer has another trick up its sleeve. If the malware manages to grab cookies for facebook.com or instagram.com from any of the target browsers, the cookies are replayed on the social media platforms.
First, the malware checks whether it is able to authenticate using the stolen cookies. If the cookies are valid and provide proper authentication, it sends a GET /settings request using the Access Token to facebook.com along with the authenticated cookies so it can fetch the User Account settings of the compromised account.
Next, it checks whether the compromised account is a business account and has access to Facebook Ads Manager and fetches the following details using the stolen cookies by parsing the responses:
- Fetch Account Billing and Payment Information from the Facebook Ads Manager.
- Fetch the users’ Facebook pages and bookmarks.
- Enumerate the number of Facebook friends and other user related information.
Since all the stolen information is sent to a command and control (C&C) server, it is likely that this information will be leveraged later to run malicious advertisements from the victims’ account and use the compromised account’s payment method to spread the malware further.
In a very similar way, Spyware.FFDroider looks for valid session cookies for Instagram to exfiltrate personal information such as the email address, the Instagram userID, the saved password, and the phone number from the Instagram account edit webpage and send it to the C&C server.
Spyware.FFDroider creates an inbound whitelisting rule in the Windows Firewall to allow itself to communicate, which requires administrative privileges. This will enable normally disallowed connections to the affected system.
After stealing and sending the stolen details from the target browsers and websites to the C&C server, Spyware.FFDroider tries to upgrade itself by downloading other modules from an update server.
If the filename at the time of execution is renamed to test.exe then the malware goes into its debug state and pops up messages on every loop. It then prints out the stolen cookies and the results which are created to be sent to the C&C holding the information collected from each targeted browser for the target websites. The debug state is very likely what the malware authors used to check the malware’s functionality during development.
Files and folders:
The malware creates a directory in %UserProfile%\Documents named VlcpVideov1.01
In this folder it drops the file:
The malware is hosted online as:
All detected by Malwarebytes as Spyware.FFDroider
Update server: http://18.104.22.168/seemorebtu/poe.php?e=<filename>
Stay safe, everyone!