FFDroider and Lightning Information Stealing Malwares Target  Users in the Wild
Reading Time: 2 minutes

Zscaler ThreatLabz has warned about FFDroider and Lightning Information Stealing Malwares that target users in the wild. These information-stealing malwares have the ability to siphon data and launch further attacks.

According to the researchers Avinash Kumar and Niraj Shivtarkar, it is “Designed to send stolen credentials and cookies to a Command & Control server, FFDroider disguises itself on victim’s machines to look like the instant messaging application ‘Telegram’.'”

Being an information-stealing malware they are capable of harvesting sensitive information from compromised machines, this includes keystrokes, screenshots, files, saved passwords, and cookies from web browsers. These can be later redirected to a remote attacker-controlled domain.

Cracked versions of FFDroider installers and freeware are distributed with the intention of stealing cookies and credentials associated with popular social media and e-commerce platforms. This stolen information is used to login into the accounts and captures other personal account-related information.

The malware targets browsers that include Google Chrome, Mozilla Firefox, Internet Explorer, and Microsoft Edge. While the social media sites targeted include Facebook, Instagram, Twitter, Amazon, eBay, and Etsy.FFDroider and Lightning Information Stealing Malwares Target  Users in the Wild-2The researchers said, “The stealer signs into victims’ social media platforms using stolen cookies, and extracts account information like Facebook Ads-manager to run malicious advertisements with stored payment methods and Instagram via API to steal personal information.” 

With downloader functionality in FFDroider, it upgrades itself with new modules from an updated server enabling it to expand its features over time. Further enhancing bad actors to abuse the stolen data as a vector for initial access to a target.FFDroider and Lightning Information Stealing Malwares Target  Users in the Wild-1On the other hand, Lightning stealer is capable of stealing Discord tokens, data from cryptocurrency wallets, and details pertaining to cookies, passwords, and credit cards. Additionally, it can also infiltrate search history from more than 30 Firefox and Chromium-based browsers, and move to a server in JSON format.

Cyble researchers added, “Info Stealers are adopting new techniques to become more evasive. Witnessed ransomware groups leveraging Info Stealers to gain initial network access and, eventually, exfiltrating sensitive data.”

The stealer malware is becoming a common occurrence in recent months across different attack campaigns. The other info stealers worth mentioning are BlackGuard, Mars Stealer, and META, known to be delivered via the malspam campaigns to collect sensitive data.

Related Articles:
Chinese hackers Exploit VLC Media Player to launch Malware Attacks
AWS Lambda Serverless Platform Under Malware Attack
Hamas-linked Hacking Group Catfish High Ranking Israeli Officials