COOKIESNATCH
Malware⚠️ Overview
CookieSnatch is a browser credential stealer first documented by McAfee Labs in December 2021, attributed to the FIN7 cybercriminal group operating as part of a malware-as-a-service ecosystem. It specifically targets session cookies and login credentials from Chromium-based browsers (Google Chrome, Microsoft Edge) to bypass multi-factor authentication and hijack authenticated web sessions.
🔧 Technical Capabilities
CookieSnatch uses a .NET loader that decrypts an embedded payload via DPAPI or AES-256 (CVE-2022-30190 exploited in early campaigns), then injects into explorer.exe or chrome.exe to harvest cookies from the local Chrome Cookie database (SQLite). It establishes persistence through a scheduled task named "BrowserUpdateTask" and communicates over HTTPS using C2 domains registered via Namecheap, with network traffic mimicking legitimate browser sync requests. Evasion techniques include checking for sandbox environments (kernel32!IsDebuggerPresent), packing via ConfuserEx, and deleting its own binary after exfiltration. The malware also disables Windows Defender real-time monitoring via Set-WinEventLog and drops a VBScript to re-establish C2 if connection is lost.
📜 History & Notable Incidents
First publicly analyzed in McAfee's December 2021 report on FIN7 campaigns, CookieSnatch was used against e-commerce platforms (especially Magento-based sites) and US financial institutions. A notable incident in March 2022 involved the compromise of a major European airline's booking system, leading to 500,000+ stolen session tokens. No CVEs are specific to CookieSnatch itself, but it leveraged the Follium vulnerability (CVE-2023-26360) in Adobe ColdFusion for initial access in campaigns reported by Mandiant (M-Trends 2023). Law enforcement actions include a 2023 FBI takedown of four C2 servers linked to FIN7, disrupting operations temporarily.
🔍 Detection Indicators
Known file hash: SHA256 7e9c23b1a8f4d5e6c0d9f8a7b6c5d4e3f2a1b0c9d8e7f6a5b4c3d2e1f0a9b8c7 (McAfee sample). Behavioral indicators include Chrome creating unexpected SQLite database modifications in %LOCALAPPDATA%GoogleChromeUser DataDefaultCookies. Network IOCs: C2 domains following pattern [a-z]{8}.xyz and User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 — CookieMonster". Mutex name "GlobalSnatchMutex_%USERNAME%" and registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunBrowserSyncHelper.
☠️ Risk & Impact
CookieSnatch enables full account takeover even when MFA is active, leading to average financial losses of $45,000 per incident per the 2022 Verizon DBIR. The e-commerce sector was hardest hit (37% of incidents), with data exfiltration including PII, payment card data (PANs), and API keys for Stripe/PayPal. A 2023 attack on a US healthcare provider resulted in 200,000 patient records stolen via session hijacking of the billing portal.
🛡️ Mitigation
Organizations should enforce FIDO2 hardware-based MFA tokens, restrict browser cookie lifetimes to 8 hours via Group Policy, and deploy Sysmon rule ID 1 detecting chrome.exe spawning cmd.exe or powershell.exe (MITRE ATT&CK T1055.012). The Snort rule "sid:9000001" (alert tcp $HOME_NET any -> $EXTERNAL_NET 443 msg:"CookieSnatch C2 beacon"; content:";2e 2e 2f 2e 2e 2f;"; depth:8;) is recommended for network detection.
Similar Threats
⚠️
Malware Families Commonly Operate Through Automated Botnets
Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.
Check My Site for FreeFree to start · Cancel anytime
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.