A malicious malvertising campaign is using Facebook ads to spread malware and compromise users’ social media accounts. Cybercriminals have devised this scheme to exploit legitimate online ad distribution tools, surreptitiously inserting infected links into typical ads.
To lure users into clicking, the campaign employs suggestive images, primarily featuring young women. This campaign’s goal is to deliver a new iteration of the NodeStealer malware, which, among its functions, allows attackers to pilfer victims’ browser cookies and gain control of their Facebook accounts.
Notably, NodeStealer has been linked to previous campaigns where hackers seized control of Facebook business accounts and pilfered funds from cryptocurrency wallets. The malware was initially identified by Meta, Facebook’s parent company, in January.
In this recent campaign reported by Bitdefender, cybercriminals utilized at least ten compromised business accounts to run and manage ads that distributed the malware to regular Facebook users, mainly targeting men in their 40s and older across Europe, Africa, and the Caribbean. Each click on the ad led to the instant download of the malicious executable file, and the researchers estimate that nearly 100,000 users downloaded the malware within just ten days.
The identity of the hacker group behind this campaign remains unclear, but previous NodeStealer attacks were attributed to threat actors in Vietnam who targeted business users via Facebook Messenger. In the latest campaign, researchers identified a slightly updated variant of NodeStealer, with new features enabling hackers to access additional platforms, including Gmail and Outlook, and download further malicious payloads.
Once cybercriminals gain access to users’ browser cookies using NodeStealer’s basic functions, they can commandeer Facebook accounts, compromise sensitive information, alter passwords, and activate security measures, thereby denying legitimate access to the account owners. This multi-faceted attack enables cybercriminals to not only steal funds but also commit fraud and manipulate hijacked accounts while evading Meta’s security defenses.