New FFDroider Windows Malware Steals Login Credentials

Heads up, Windows users! Researchers have found new malware in the wild targeting Windows devices. Identified as “FFDroider,” the malware typically aims at stealing login credentials from Windows systems.

FFDroider Windows Malware Surfaces As A New Threat

Sharing the details in a blog post, Zscaler ThreatLabz team researchers have explained how the FFDroider malware targets Windows systems.

Briefly, this malware works by creating a registry key, “FFDroider” (hence acquiring the name). This malware aims at stealing users’ login credentials and cookies. The malware then sends all the stolen information to its C&C under the attackers’ control.

Apart from stealing credentials, the attack also aims at using the stolen credentials and cookies to sign in to the victim’s accounts. The attackers specifically do this to attack victims’ social media accounts, steal profile details and personal data, and run malicious ads.

Upon infecting the target device, the malware usually hides by posing as a legit app like Telegram. After infection, the malware exploits inbound whitelisting in Windows Firewall to escape detection and replicate on desired locations.

Besides infecting devices, the attacker also tracks the infection counts via iplogger.org.

For successful attack execution, the attackers have set up a list of target browsers. It includes all popular browsers like Mozilla Firefox, Google Chrome, Microsoft Edge, and Internet Explorer. They also have a specific target website list that includes social media platforms and online stores. For instance, the list includes Facebook, Twitter, Instagram, Etsy, Amazon (with specific international domains), and eBay. These target lists facilitate malware stealing a site’s stored credentials and session cookies from web browsers.

The following image depicts the attack cycle.

FFDroider attack cycle (Source: Zscaler)

While the malware presently focuses on stealing social media credentials, it also threatens the victim’s personal and financial data. Mainly, if the victim has linked the bank or account details with social media sites or online stores, the attacker could quickly get all those details.

Users must ensure keeping their systems protected with a robust antimalware tool.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients