FFDroider is a Windows-based credential and cookie stealer that targets social media platforms by harvesting browser data and using stolen cookies to access accounts. ThreatLabz (Zscaler) details its delivery, obfuscation, registry persistence, C2 communications, and data exfiltration capabilities, including targeting Facebook and Instagram. #FFDroider #Facebook
Keypoints
- FFDroider (Win32.PWS.FFDroider) is a credential and cookie stealer focused on social media platforms.
- Delivery occurs via compromised/cracked installers, with a campaign URL such as download.studymathlive[.]com/normal/lilay.exe.
- The malware uses ASPack v2.12 for packing, creates a registry key HKCUSoftwareffdroiderFFDroider, and copies itself to a Documents folder path “VlcpVideov1.01” with a chosen icon.
- A string decryption routine (XOR-based) loads DLLs via LoadLibraryA/GetProcAddress and reveals APIs like Wininet.dll, InternetGetCookieExW, and CryptUnProtectData.
- Initial C2 communication logs the filename and the infected host’s IP; an iplogger.org URL is used to track infection counts.
- Browser targets include Chrome, Firefox, IE/Edge, and the malware exfiltrates cookies/credentials to the C2, including Facebook/Instagram data to abuse ads and account information.
- The campaign also features a downloader for module updates, sandbox/anti-analysis checks, a debug mode, and a Windows Firewall inbound rule to enable persistence and outbound connections.
MITRE Techniques
- [T1055] Process Injection – Creates multiple threads using CreateThread() to speed the theft of cookies and credentials while hindering reverse engineering. ‘The malware creates multiple threads using CreateThread() to speed the theft of cookies and credentials while hindering reverse engineering.’
- [T1027] Obfuscated Files or Information – String Decryption Routine which is basically a XOR Decryption loop amongst the encrypted string and the key. ‘String Decryption Routine which is basically a XOR Decryption loop amongst the encrypted string and the key.’
- [T1027-002] Software Packing – Packed with the popular “ASPack v2.12” packer. ‘FFDroider stealer is packed with the popular “ASPack v2.12”packer.’
- [T1003] OS Credential Dumping – The password cache is decrypted in memory via CryptUnProtectData(), revealing clear-text credentials. ‘The password cache is fetched from the output and passed to the CryptUnProtectData() function for in memory decryption, revealing clear-text credentials stolen from the targeted web application Credential Store.’
- [T1016] System Network Configuration Discovery – Logs the infected host IP via iplogger.org to reveal network details. ‘IPLogger URL: https://iplogger.org/logger/ey4zrs2miAY6’
- [T1018] Remote System Discovery – Uses API calls (e.g., GetAdaptersInfo) to enumerate network adapters as part of its data collection. ‘GetAdaptersInfo’
- [T1057] Process Discovery – The malware spawns multiple threads as part of its execution flow to speed data theft. ‘CreateThread()’
- [T1082] System Information Discovery – Exposes the PDB path during analysis (F:FbRobotReleaseFbRobot.pdb) to reveal build information. ‘exposed the PDB path: F:FbRobotReleaseFbRobot.pdb’
- [T1083] File and Directory Discovery – Creates a directory in Documents named “VlcpVideov1.01” to house copies. ‘creates a Directory in the Documents folder named “VlcpVideov1.01”’
- [T1005] Data from Local System – Steals cookies and credentials from local data stores (Chrome, Firefox, IE/Edge). ‘Steals cookies and credentials from the victim’s machine.’
Indicators of Compromise
- [Hash] – beb93a48eefd9be5e5664754e9c6f175, e8c629383fe4b2c0cbf57b0d335fc53f, 6a235ccfd5dd5e47d299f664d03652b7, b11fd571c6cc4b8768f33a2da71fbb6e
- [URL] – download[.]studymathlive[.]com/normal/vinmall880[.]exe, download[.]studymathlive[.]com/normal/lilay[.]exe, and 2 more (e.g., download[.]studymathlive[.]com/install/vinmall1[.]exe?_sm_byp=iVVkm23V4sqBFtNM, download[.]studymathlive[.]com/install/vinmall1[.]exe?_sm_byp=iVVJWHH51nHRJTzP)
- [Domain] – iplogger[.]org
- [IP] – 152[.]32[.]228[.]19 (C2 server IP)
- [URL] – https[:]//iplogger[.]org/logger/ey4zrs2miAY6
- [File] – install.exe, VlcpVideov1.01 (directory name), d/p/u files mentioned in data exfiltration