Phishing is known to be the weapon of choice for all cybercriminals that are after login credentials. However, a new attack tool – facebook Hacker – has drawn attention to the ill-intentioned people in need of passwords and usernames that are not theirs.

This do-it-yourself kit helps the wrong doer steal login credentials from whoever was targeted without the user even having to type in any of these desired fruits.

Fig.1 The extracted archive of the facebook Hacker

The kit is intuitive, thus extremely easy to configure, just like any do-it yourself hack tool designed with the "skiddie” in mind. There are only two fields that need filling in: a disposable e-mail and a password that will eventually constitute the location where the stolen information is to be delivered to.

 Fig. 2 Configuration panel

After clicking the "build” button, a server.exe file is created and deposited into the facebook Hacker folder along with the initial files. This server.exe file is to be sent to the intended victims.

Fig. 3 The server file to be sent to the victims is ready for distribution

Once run, the malicious tool will snatch the victim’s Facebook® account’s credentials, along with all the usernames and passwords that we carelessly ask the browser to remember for us. Yes, because facebook Hacker also targets the Internet browser and Instant Messaging clients to pick up the entire list of "remembered” identification data.

In order to successfully collect passwords, the malicious binary includes applications able to squeeze data out of the most popular browsers on the market, as well as of almost all instant messaging clients available. To add insult to injury, the application also enumerates all dialup/VPN entries on the computer and displays their logon details: User Name, Password, and Domain.

To avoid detection, the facebook Hacker will also look for all the processes related to a security suite and kill them upon detection. It is important to mention that it is accessorized with a hard-coded list of processes associated with AV solutions that are to be checked and stopped, if found.

Last but not at all the least, the piece of malware looks for network monitoring applications and terminates them. This is a safety measure that will prevent curious users from seeing their passwords leave the system.

Figure 4: TCP dump of the information sent by the application. Since the SMTP server uses TLS encryption, sniffed traffic will not reveal much of what’s going on.

As it can be seen, the author took a lot of time to think of various elements that could interfere with the smooth operation of this tool and to eliminate them one by one.  

Figure 5: The stolen credentials of our test accounts got mailed on the specified address.

BitDefender® identifies this threat as Trojan.Generic.3576478. In order to stay safe, please ensure that you are running a frequently updated antivirus utility. Also, remember not to run files you may receive as attachments or via IM, or at least, to scan them beforehand.

All product and company names mentioned herein are for identification purposes only and are the property and may be trademarks of their respective owners.