The imad213 Python-based credential harvester poses as an Instagram growth tool to steal user credentials and broadcast them to multiple malicious bot services. The attacker maintains remote control via a Netlify-hosted kill switch and operates a coordinated network of phishing websites targeting various social media platforms. #imad213 #IMAD-213 #takipcimx #InstagramGrowthTool
Keypoints
- The imad213 malware masquerades as an Instagram follower growth tool and steals user credentials through a deceptive credential prompt.
- The threat actor, imad_213, uses a remote kill switch hosted on Netlify to enable or disable the malware remotely without alerting victims.
- Stolen Instagram credentials are broadcast to ten different Turkish-based bot service websites, which operate a coordinated credential harvesting network.
- The attacker also created additional malicious tools such as Free Fire phishing kits and a DDoS attack tool, sharing similar branding and coding styles.
- The malware saves credentials locally to “credentials.txt” as a social engineering tactic, while the real theft occurs via broadcasting to third-party services.
- Victims face immediate account compromise, violations of Instagram policies potentially resulting in account bans, and risks of identity theft and password reuse attacks.
- The attacker maintains professional-looking infrastructure registered through the same Turkish telecom, using Cloudflare for protection and consistently updating the phishing sites.
MITRE Techniques
- [T1027] Obfuscated Files or Information – The malware uses base64 encoding to hide its true nature. (“…uses base64 encoding to hide its true nature…”)
- [T1566.002] Phishing – The tool prompts users for their Instagram credentials under the guise of an Instagram growth service. (“…prompts users for Instagram credentials…”)
- [T1041] Exfiltration over C2 channel – Stolen credentials are broadcast to ten third-party bot services, sending login data to remote servers. (“…the victim’s Instagram username and password… are broadcast to ten different bot service websites…”)
- [T1195.002] Supply Chain Compromise: Compromise Software Supply Chain – The malicious package is distributed via PyPi and GitHub presenting itself as a legitimate Instagram growth tool. (“…presented professionally on GitHub with a detailed README… installation via pip install imad213…”)
Indicators of Compromise
- [Threat Actor Identifiers] Email and aliases associated with the attacker – madmadimado59@gmail[.]com, imad_213, IMAD-213
- [Domains] Malicious bot services hosting credential harvesting sites – takipcimx[.]net, takipcizen[.]com, and 8 more related domains
- [Control URL] Netlify-hosted remote kill switch URL – imad-213-imad21[.]netlify[.]app/pass.txt
- [Local Files] Plaintext credential storage on victim machines – credentials.txt
- [Social Media] Attacker’s Instagram profile used for self-promotion – instagram[.]com/nasreddin_imad
Read more: https://socket.dev/blog/pypi-package-disguised-as-instagram-growth-tool-harvests-user-credentials
Views: 36