A continuing campaign targets Facebook Business accounts with phoney messages in an effort to gather victims' login information using a Python-based NodeStealer version and perhaps seize control of their accounts for further malicious actions.
According to research by Netskope Threat Labs researcher Jan Michael Alcantara, "the attacks are targeting victims primarily in Southern Europe and North America across different segments, led by the manufacturing services and technology sectors,"
NodeStealer began as a JavaScript virus that could steal cookies and passwords from web browsers to breach Facebook, Gmail, and Outlook accounts. It was first identified by Meta in May 2023.
Palo Alto Networks Unit 42 discovered a separate attack wave that used a Python version of the malware in December 2022, with some iterations also intended to carry out cryptocurrency theft, last month.
According to the most recent data from Netskope, the Vietnamese threat actors who were behind the operation have probably renewed their offensive attempts and have even adopted the strategies of other enemies who are also pursuing the same goals outside of the country.
Guardio Labs has revealed how phoney communications sent via Facebook Messenger from a botnet of fictitious and hijacked personal accounts are used to distribute ZIP or RAR archive files to unsuspecting recipients in order to spread the stealer virus.
The NodeStealer intrusion chains use the same method of operation as their initial vector to disseminate RAR files stored on Facebook's content delivery network (CDN).
Alcantara stated that "images of faulty products were used as bait to persuade owners or admins of Facebook business pages to download the malware payload."
These archives have a batch script embedded in them that, when run, launches the Chrome browser and directs the victim to a safe website. However, a PowerShell command is launched in the background to obtain further payloads, such as the Python interpreter and the NodeStealer malware.
The stealer is made to collect system metadata and exfiltrate the data over Telegram in addition to stealing login credentials and cookies from different web browsers, whether or not they come from Facebook.
In contrast to past iterations, the new NodeStealer variation, according to Alcantara, uses batch files to download and execute Python scripts as well as to steal login information and cookies from various browsers and websites.
They may utilise the information they have already obtained from this campaign as a springboard for a subsequent, more focused attack. Attackers with access to Facebook cookies and passwords can use them to hijack the account and conduct fraudulent commerce using the official company page.
Comments