SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ffdroider (Back to overview)

FFDroider

According to PCrisk, FFDroider is a malicious program classified as a stealer. It is designed to extract and exfiltrate sensitive data from infected devices. FFDroider targets popular social media and e-commerce platforms in particular.

References
2022-04-11The Hacker NewsRavie Lakshmanan
@online{lakshmanan:20220411:researchers:2e6147c, author = {Ravie Lakshmanan}, title = {{Researchers warn of FFDroider and Lightning info-stealers targeting users in the wild}}, date = {2022-04-11}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/04/researchers-warn-of-ffdroider-and.html}, language = {English}, urldate = {2022-05-04} } Researchers warn of FFDroider and Lightning info-stealers targeting users in the wild
FFDroider
2022-04-06ZscalerAvinash Kumar, Niraj Shivtarkar
@online{kumar:20220406:ffdroider:7f5ad65, author = {Avinash Kumar and Niraj Shivtarkar}, title = {{FFDroider Stealer Targeting Social Media Platform Users}}, date = {2022-04-06}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users}, language = {English}, urldate = {2022-04-29} } FFDroider Stealer Targeting Social Media Platform Users
FFDroider
Yara Rules
[TLP:WHITE] win_ffdroider_w0 (20220414 | detects FFDroider)
rule win_ffdroider_w0 {
    meta:
        author      = "Johannes Bader @viql"
        date        = "2022-04-08"
        description = "detects FFDroider"
        tlp         = "white"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ffdroider"
        malpedia_rule_date = "20220414"
        malpedia_hash = ""
        malpedia_version = "20220414"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $string_pdb  = "F:\\FbRobot\\Release\\FbRobot.pdb"
        $string_mutex = "37238328-1324242-5456786-8fdff0-67547552436675" wide
        $string_path  = "/seemorebty/"

        $tld_ca = ".ca" wide
        $tld_cn = ".cn" wide
        $tld_eg = ".eg" wide
        $tld_fr = ".fr" wide
        $tld_de = ".de" wide
        $tld_in = ".in" wide
        $tld_it = ".it" wide
        $tld_cojp = ".co.jp" wide
        $tld_nl = ".nl" wide
        $tld_pl = ".pl" wide
        $tld_sa = ".sa" wide
        $tld_sg = ".sg" wide
        $tld_es = ".es" wide
        $tld_ae = ".ae" wide
        $tld_couk = ".co.uk" wide
        $tld_com = ".com" wide
        $tld_comau = ".com.au" wide
        $tld_combr = ".com.br" wide
        $tld_commx = ".com.mx" wide
        $tld_comtr = ".com.tr" wide
        
        $facebook_1 = "https://www.facebook.com/ads/manager/account_settings/account_billing" wide
        $facebook_2 = "https://www.facebook.com/pages/?category=your_pages&ref=bookmarks"
        $facebook_3 = "https://www.facebook.com/bookmarks/pages?ref_type=logout_gear" 
        
    condition:
        2 of ($string_*) or
        (
            all of ($tld_*) and
            all of ($facebook_*)
        ) 
}
Download all Yara Rules