Facebook Business Accounts Under Attack: NodeStealer Variant Harvests Credentials
An ongoing cyber campaign is actively targeting Facebook Business accounts using deceptive messages to extract victims’ credentials, employing a variant of the Python-based NodeStealer malware. The attackers aim to potentially seize control of these accounts for subsequent malicious actions.
The attacks have primarily impacted victims in Southern Europe and North America, spanning various sectors, with a notable presence in manufacturing services and technology, according to Netskope Threat Labs researcher Jan Michael Alcantara.
NodeStealer initially emerged in May 2023 and operated as a JavaScript-based malware. It specialized in pilfering cookies and passwords from web browsers, compromising accounts on platforms such as Facebook, Gmail, and Outlook.
In a separate disclosure last month, Palo Alto Networks Unit 42 unveiled an attack wave that transpired in December 2022, featuring a Python version of the NodeStealer malware. Some iterations of this malware variant were also engineered for cryptocurrency theft.
See Also: So you want to be a hacker?
Offensive Security, Bug Bounty Courses
The recent findings by Netskope suggest that the Vietnamese threat actors behind this campaign have likely resumed their attack activities. They have also incorporated tactics utilized by other threat groups from the same region with similar objectives.
Earlier this week, Guardio Labs disclosed a tactic where fraudulent messages sent via Facebook Messenger, utilizing a botnet of counterfeit and hijacked personal accounts, were employed to distribute ZIP or RAR archive files containing the NodeStealer malware to unsuspecting recipients.
The same method serves as the initial vector for the NodeStealer intrusion chains. These chains deliver RAR files hosted on Facebook’s content delivery network (CDN).
The attackers utilized images depicting defective products as bait to convince the owners or administrators of Facebook business pages to download the malware payload. These archives are equipped with a batch script that, when executed, opens the Chrome web browser and redirects the victim to a benign webpage. Simultaneously, in the background, a PowerShell command is executed to retrieve additional payloads, including the Python interpreter and the NodeStealer malware.
Trending: Offensive Security Tool: Headerpwn
NodeStealer, apart from capturing credentials and cookies from various web browsers, regardless of the platform, is engineered to collect system metadata and exfiltrate this information via Telegram.
Compared to earlier versions, the new NodeStealer variant employs batch files for downloading and executing Python scripts. It is capable of stealing credentials and cookies from multiple web browsers and websites.
“This campaign might serve as an entry point for a more targeted attack in the future, as the attackers have already gathered valuable information. Attackers who have stolen Facebook cookies and credentials can use them to take over the account and engage in fraudulent transactions, leveraging the legitimate business page,” noted Alcantara.
Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?
If you want to express your idea in an article contact us here for a quote: [email protected]
Source: thehackernews.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
