Keypoints
- Initial access is achieved via social engineering (Facebook Messenger DMs) that lure victims to download RAR/ZIP archives containing malicious downloaders.
- Infection is typically two-stage: a BAT downloader saves myFile.zip to C:UsersPublic, extracts vn.cmd, and vn.cmd fetches the final Python payload and supporting files.
- There are three main variants: Variant One (obfuscated project.py), Variant Two (staged OOP RitCucki script fetched from GitHub/GitLab), and Variant Three (PyInstaller-built executable ~13+ MB).
- Persistence is implemented via WindowsSecure.bat placed in the Startup folder to run project.py at user logon.
- The infostealer enumerates browser profiles (cookies/password stores) across multiple browsers (including Coc Coc, Chrome, Edge, Brave, Firefox, Opera) and dumps Facebook cookies to cookiefb.txt.
- Exfiltration is performed by archiving dumped data (country+ip.zip) and sending it via Telegram Bot API sendDocument calls (often to two different bot tokens/chat IDs); variants have also used Discord or repository-hosted C2.
- Multiple obfuscation layers are used (hex/compression, base64, function/variable name obfuscation) and some versions include an rmv.py script or embedded routines for evidence removal.
MITRE Techniques
- [T1566] Phishing – Initial access via social engineering: ‘the infection starts from a Facebook messenger direct message from the adversary.’
- [T1059] Command and Scripting Interpreter – Use of BAT/CMD/PowerShell downloaders: ‘The archived file contains a BAT script which is the first downloader.’
- [T1547] Boot or Logon Autostart Execution – Persistence via Startup folder: ‘WindowsSecure.bat … responsible for maintaining persistence … by executing project.py every time a user logs in.’
- [T1070.004] Indicator Removal: File Deletion – Evidence removal routines and rmv.py: ‘removing the Python Infostealer related scripts are embedded in the Python script itself.’
- [T1027] Obfuscated Files or Information – Multiple obfuscation layers in payloads: ‘nested obfuscation, in which the hex value is being compressed with various compression methodologies.’
- [T1539] Steal Web Session Cookie – Cookie harvesting and Facebook cookie dump: ‘project.py dumps cookie information specific to Facebook cookiefb.txt to disk.’
- [T1555.003] Credentials from Web Browsers – Extraction of stored browser credentials: ‘responsible for harvesting credentials from various browsers.’
- [T1041] Exfiltration Over C2 Channel – Sending archived data to attackers: ‘The script proceeds to archive the dumped information into a zip file … and sends to Threat Actors via the Telegram Bot API.’
- [T1567] Exfiltration Over Web Service – Use of messaging/web APIs to exfiltrate files: ‘attempts to transmit the archived file via Telegram Bot API’s sendDocument.’
- [T1071.001] Application Layer Protocol: Web Protocols – Use of web APIs for C2/exfiltration: ‘The main() function attempts to transmit the archived file via Telegram Bot API’s sendDocument.’
Indicators of Compromise
- [File name] downloader/payload names – project.py, vn.cmd, WindowsSecure.bat (persistence), rmv.py (evidence removal).
- [Domain] geolocation lookup – ipinfo[.]io (used to retrieve country and IP for naming and targeting context).
- [Repository hosts] C2/hosting locations – GitHub, GitLab (used to host staged/base64 payloads and scriptcall files).
- [File path] deployment and data dump locations – C:UsersPublicmyFile.zip (initial download), C:Users{user}AppDataLocalTemp{country+ip}cookie.txt (dumped credentials and cookiefb.txt).
The technical infection chain begins with a social-engineering lure (Facebook Messenger DM) that convinces the victim to download an archive (RAR/ZIP). The archive contains a BAT script which runs a curl command to save myFile.zip to C:UsersPublic, then uses Expand-Archive to extract vn.cmd. The vn.cmd downloader configures variables (sometimes for runtime deobfuscation), opens Chrome to a benign page, and downloads three files from GitLab/GitHub which are renamed to WindowsSecure.bat (persistence), Document.zip/Python39.zip (bundled Python modules), and the main payload project.py or Lib-jae.py.
Execution of the Python payload (project.py / RitCucki class) first deobfuscates embedded data (hex/compression/base64) and performs an HTTP(S) request to ipinfo[.]io to obtain the victim’s country and public IP. The main routine enumerates browser profile directories (targets include Coc Coc, Google Chrome, Microsoft Edge, Brave, Firefox, Opera, Chromium depending on variant), extracts cookies and stored credentials, writes Facebook-specific cookies to cookiefb.txt, then archives results as country+ip.zip. Exfiltration is carried out via Telegram Bot API sendDocument calls (observed both obfuscated via base64 Compressed() calls and in plaintext), often to two distinct bot tokens/chat IDs; other victims have seen exfiltration to Discord or repository-listed hosts.
Variant differences: Variant One is an extensively obfuscated project.py that targets up to seven browsers and uses data compression in its deobfuscation flow; Variant Two uses a staged OOP RitCucki class (fetched as a base64 payload from GitHub/GitLab) and targets three browsers (Coc Coc, Chrome, Edge), relying on a scriptcall file for string data; Variant Three is a PyInstaller-bundled executable (~13+ MB) that appears to be the executable form of Variant Two. All variants commonly achieve persistence by placing WindowsSecure.bat in the Startup folder, and some Variant One builds include embedded or separate rmv.py routines to remove traces after execution.
Read more: https://www.cybereason.com/blog/unboxing-snake-python-infostealer-lurking-through-messaging-service