Hello and welcome to the Friday, January 26, 2024 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

So we got an interesting info stealer today that Xavier came across and that he wrote up.

First of all, it does some a little bit unusual geotargeting in that it apparently attempts to avoid Vietnamese users.

This check is just done by IP address. On the other hand, it also includes a code to look for cookies that are used by a browser popular in Vietnam called Cockcoccus, the name of the particular browser.

I suspect that this particular malware was written by someone in Vietnam, maybe trying to not get the crosshairs of local law

enforcement. That's why you often sort of see these specific exceptions. And since this

browser is popular in Vietnam, the author may have included it because that's a browser

that the author may use.

Of course, that's someone speculative.

But the other interesting part is that one particular type of cookie that it's looking for

is Facebook cookies, in particular for the ads manager.

Ads manager.com, that's being used by businesses who advertise on Facebook.

And I've mentioned this a couple times before that this sort of has become a pretty hot commodity

credentials for these advertisers because once you own an account that's able to place ads in Facebook,

you can use this account not just to get free ads, that's of course nice to have,

but also to then post malicious ads on Facebook.

And these accounts would then, of course, be disabled after some time. And having

throwaway accounts that were stolen from legitimate users, of course, makes them quite interesting

to post ads for malicious tools. This bot does heavily use Telegram's API for command control, which again is nothing really that terribly unusual.

Telegram has a pretty simple and straightforward API.

Virus total score for this Malaver is 6 out of 60.

...