An ongoing cyber campaign is specifically targeting Facebook Business accounts by sending deceptive messages aimed at harvesting user credentials. This campaign employs a modified version of the Python-based NodeStealer malware, originally discovered by Meta in May 2023.
NodeStealer, initially a JavaScript malware, is capable of stealing cookies and passwords from web browsers, including those of Facebook, Gmail, and Outlook accounts. The attacks are mainly concentrated in Southern Europe and North America and primarily affect sectors such as manufacturing services and technology.
Furthermore, Palo Alto Networks Unit 42 previously identified an attack wave that utilized a Python version of NodeStealer in December 2022, with some variants designed for cryptocurrency theft. The latest findings from Netskope suggest that Vietnamese threat actors are likely behind this operation and have possibly resumed their attack efforts, adopting tactics used by other threat actors with similar objectives.
Recent reports also reveal that fraudulent messages sent via Facebook Messenger are delivering ZIP or RAR archive files containing the NodeStealer malware, using deceptive tactics to reach unsuspecting recipients.
At the same time, these archives come with a batch script that, upon execution, opens the Chrome web browser, leading the victim to a benign web page. However, in the background, a PowerShell command runs to retrieve additional payloads, including the Python interpreter and NodeStealer malware.
This malware not only steals credentials and cookies from various web browsers but also collects system metadata, exfiltrating this information over Telegram. The campaign poses a significant threat, as stolen Facebook cookies and credentials can potentially lead to account takeovers and fraudulent transactions, leveraging legitimate business pages.
