An ongoing campaign is targeting Facebook Business accounts with malicious messages in order to steal victims’ credentials and potentially take over their accounts. The attackers are primarily focusing on victims in Southern Europe and North America, particularly in the manufacturing services and technology sectors.
The NodeStealer malware, which was first discovered by Meta in May 2023, is a JavaScript-based malware that steals cookies and passwords from web browsers, compromising accounts on platforms such as Facebook, Gmail, and Outlook.
Recently, Netskope Threat Labs revealed that Vietnamese threat actors are likely behind the attacks, using tactics similar to other adversaries from the same region. These attackers are utilizing fraudulent messages sent via Facebook Messenger to deliver stealer malware in ZIP or RAR archive files. The malware payload is disguised as an image of a defective product, enticing Facebook business page owners to download it.
Once executed, the archive files open the Chrome web browser and redirect the victim to a benign web page. In the background, a PowerShell command downloads additional payloads, including the Python interpreter and the NodeStealer malware. The NodeStealer variant used in this campaign is more advanced than previous versions, using batch files to download and run Python scripts, stealing credentials and cookies from multiple browsers and websites.
The stolen credentials and cookies can be used by attackers to take over Facebook accounts and carry out fraudulent transactions using the legitimate business pages. This campaign may be a precursor to a more targeted attack in the future.
It is crucial for Facebook Business account owners to exercise caution and avoid downloading any suspicious files or clicking on unfamiliar links. Regularly updating security measures and implementing multi-factor authentication can also help protect against these types of attacks.
Sources:
– Netskope Threat Labs
– Palo Alto Networks Unit 42
– Meta
– Guardio Labs