, , ,

Unveiling the Snake Infostealer: How It Spreads Through Facebook Messenger

thumb2_snake

In early 2024, researchers at Cybereason uncovered a new threat targeting Facebook users — a Python-based information stealer dubbed Snake (not to be confused with the Russian state-sponsored Snake rootkit). This campaign stood out for its delivery mechanism: Facebook Messenger. Here’s what was found and what it means for defenders.

How the Campaign Works

The attack chain is deceptively simple and relies on social engineering:

  1. A victim receives a message on Facebook Messenger from a contact — sometimes a compromised friend’s account, sometimes a fake account
  2. The message contains a RAR or ZIP archive, or a link to one hosted on a file sharing service
  3. Inside the archive is a batch script (.bat) or an executable
  4. Running the file executes a downloader that fetches the Snake infostealer payload from an external server
  5. Snake runs silently, collects credentials and data, and exfiltrates them to an attacker-controlled Telegram bot or Discord webhook

The use of Facebook Messenger as a delivery channel is clever: it’s a trusted platform, messages from known contacts are more likely to be opened, and corporate email filters don’t inspect personal messaging apps.

What Snake Steals

Diagram

Snake is a credential-focused infostealer. Once running, it targets:

  • Browser credentials — saved usernames and passwords from Chrome, Firefox, Edge, Brave, and other Chromium-based browsers
  • Browser cookies — session cookies that can be used to hijack authenticated sessions without needing the password
  • Cryptocurrency wallets — wallet files and browser extension data for MetaMask and similar wallets
  • System information — OS version, hardware, installed software, IP address
  • Facebook session tokens — which then enable the attacker to access the victim’s Facebook account and potentially use it to spread the malware further

Technical Analysis: The Payload

Snake is written in Python and distributed in one of three variants observed in this campaign:

  • A compiled Python executable (.exe) built with PyInstaller
  • A batch script downloader that fetches and runs a Python script
  • A CMD-based downloader that uses PowerShell to pull and execute the payload

The choice of Python is notable: Python-based malware is often easier to write and modify, but the compiled executable is also less likely to trigger traditional AV signatures compared to well-known commodity stealers.

Similarities with FormBook and Agent Tesla

Cybereason researchers noted that Snake shares staging and exfiltration mechanisms with FormBook and Agent Tesla — two well-established infostealer families. The use of Telegram bots for data exfiltration in particular mirrors patterns seen in many modern stealers, as it avoids the need for dedicated C2 infrastructure and blends in with legitimate Telegram traffic.

The Facebook Propagation Loop

Diagram

One of the more concerning aspects of Snake is how it self-propagates. Once it steals the victim’s Facebook session cookies, attackers can:

  1. Log into the victim’s Facebook account without needing their password
  2. Access their Messenger contacts
  3. Send the malicious archive to those contacts, appearing to come from a trusted friend

This creates a self-sustaining spread mechanism that amplifies the campaign without requiring the attacker to find new victims manually.

Detection and Defence

For Individual Users

  • Be extremely sceptical of archive files received via Messenger, even from contacts you know — their account may be compromised
  • Never run .exe, .bat, .cmd, or .vbs files received via messaging apps
  • Enable two-factor authentication on your Facebook account — this won’t stop session cookie theft but limits what attackers can do with stolen passwords
  • Regularly review active Facebook sessions (Settings → Security → Where You’re Logged In) and revoke any unfamiliar sessions

For Defenders and Analysts

  • Monitor for PyInstaller-compiled executables in user download directories
  • Watch for Python processes (python.exe, but also renamed/embedded Python) making network connections
  • Detect outbound connections to api.telegram.org from endpoints that have no legitimate reason to contact Telegram
  • Look for browser credential database files (Login Data in Chrome’s profile directory) being accessed by non-browser processes
  • Endpoint detection for cookie-stealing behaviour — access to the Cookies SQLite database by unusual processes

Indicators of Compromise (IoC Types to Hunt)

  • Compressed archives (.rar, .zip) downloaded from file sharing sites via a browser and then immediately executed
  • PowerShell or CMD processes spawned from a user’s download directory
  • Outbound connections to Telegram API endpoints from non-messaging applications
  • Python executables with randomised names in %AppData% or %Temp%

Final Thoughts

The Snake infostealer campaign is a good reminder that attackers go where trust exists. Facebook Messenger carries an implicit trust that email no longer does — people are more likely to open a file sent by a Messenger contact than an unexpected email attachment. Combined with a self-propagating mechanism via stolen session cookies, this campaign can spread rapidly through social networks. The technical complexity is low, but the effectiveness is high. Staying aware of these delivery vectors — and maintaining healthy scepticism even on personal platforms — is as important as any technical control.

Leave a Reply

Your email address will not be published. Required fields are marked *

About Author

Subhash Thapa

Security Analyst (SOC, AI, MDR & IR) | CEH | CCSP | CCIO | CSFPC

Weekly threat intel, straight to your inbox

Free. No noise. Unsubscribe anytime.

Categories