Instant Karma Facebook password stealer actually steals from attackers rather than victims

Have you ever wanted to hack into someone's Facebook account? Well, be careful about what you wish for because cybercriminals are now marketing a new Facebook password stealing malwarethat actually steals from attackers, rather than going after victims. The password stealer is being marketed to those with limited to no hacking skills, look into crack into other people's Facebook accounts.

Ironically dubbed Instant Karma, the password stealing malware infects the operator of the malware. Once downloaded, it injects the system with a malicious code in the background that can steal credentials, including personal and financial data.

"This appears very widespread and growing," Sydney-based LMNTIX Labs, which first identified the malware, told TechCrunch. "We classified this as an ongoing malicious campaign with the threat actors actively marketing it as 'Facebook Password Stealer' or, more innocuously, 'Facebook Password Recovery.'

"The attackers also seem to be sophisticated marketers who understand there is potentially big demand for the purported service and are distributing the sample via Spam, Ad campaigns, Pop-ups, Bundled Software, Porn sites and also some times as a standalone software."

The malware also drops a RAT (remote access trojan) after the victim, the wannabe hacker, clicks on the "hack" button. HackRead reported that the password stealing malware is also capable of remotely hijacking a device, view the victims' IP address, full names, OS type, location and more. Instant Karma also reportedly comes with keylogger features and can steal passwords stored in browsers or other applications.

The malware currently seems to be limited to target Windows PC users. The RAT the malware drops is reportedly called njRAT, aka Bladabindi, which was first discovered in 2012 is believed to be the work of Arabic speaking cybercriminals.

"The target market goes beyond a typical hacker subset (if there is such a thing) and targets the general user who may be tempted to get inside someone's Facebook account (friends, enemies, significant others, et al.)," the researchers told TechCrunch. "While there have been methods and apps offering Facebook hacks, this specific malicious campaign which uses the promise of easy Facebook password theft as bait is completely new."