FFDroider, a new information-stealing malware disguised as Telegram app

Pierluigi Paganini April 11, 2022

Cybersecurity researchers spotted a new Windows information-stealing malware, named FFDroider, designed to steal credentials and cookies.

Cybersecurity researchers from Zscaler ThreatLabz warn of a new information-stealing malware, named FFDroider, that disguises itself as the popular instant messaging app Telegram. The malware was derived to siphon credentials and cookies from infected machines.

“Recently, ThreatLabz identified a novel windows based malware creating a registry key as FFDroider. Based on this observation, ThreatLabz named this new malware the Win32.PWS.FFDroider.” reads the report published by Zscaler ThreatLabz. “Designed to send stolen credentials and cookies to a Command & Control server, FFDroider disguises itself on victim’s machines to look like the instant messaging application “Telegram”.”

The experts spotted multiple FFDroider campaigns which arrived via the compromised URL download.studymathlive[.]com/normal/lilay.exe, all the attacks leveraged tainted cracked versions of installers and freeware.

Below are the key features implemented by the FFDroider information stealer:

  • Steals  cookies and credentials from the victim’s machine.
  • Targeting social media platforms to steal the credentials and cookies.
  • The stealer signs into victims’ social media platforms using stolen cookies, and extracts account information like Facebook Ads-manager to run malicious advertisements with stored payment methods and Instagram via API to steal personal information.. 
  • Leverages inbound whitelisting rules in Windows Firewall allowing the malware to be copied at desired location.
  • Attacker uses iplogger.org to track the infection counts.

The malware is able to steal data from multiple browsers, including Chrome, Mozilla Firefox, Internet Explorer, and Microsoft Edge. FFDroider also targets websites like Facebook, Instagram, Twitter, Amazon, eBay, and Etsy.

FFDroider also supports a downloader functionality that uses to upgrade itself by downloading new modules from an update server. The modular structure allows the info-stealer to add new functionalities over time.

“After stealing and sending across the stolen details from the target browsers and websites to the Command & Control. The FFDroider Stealer further it tries to upgrade itself in a fixed interval of time by downloading other modules from an update server by sending  across request to the following as mentioned – URL:http[:]//186[.]2[.]171[.]17/seemorebtu/poe.php?e=<filename> by calling wininet.dll APIs such as InternetOpenUrlW and InternetReadFile.” continues the report. “The module is written onto the disk in the previously created “VlcpVideov1.01” directory as “install.exe”.”

The analysis of the code of the malware revealed the a debug functionality, if the filename at the time of execution is test.exe then the malicious code is executed in a debug state and pops up messages on every loop where in, it prints out the stolen cookies and the final json body which is to be sent to the C&C from each and every browser for the target websites.

The researchers published the Mitre table and Indicators of compromise for these attacks.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: 

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, FFDroider)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment