A persistent campaign is currently underway, specifically targeting Facebook Business accounts. These attacks involve deceptive messages, aiming to harvest victims’ login details utilizing a variant of the Python-based NodeStealer malware. The ultimate objective is to gain control over the compromised accounts, enabling malicious activities to ensue.
Netskope Threat Labs researcher, Jan Michael, stated that the attacks have predominantly impacted victims in Southern Europe and North America across various industries, with the manufacturing, services, and technology sectors being particularly affected.
NodeStealer was initially discovered by Meta in May 2023 as a JavaScript-based malware that specialized in stealing cookies and passwords from web browsers, specifically targeting Facebook, Gmail, and Outlook accounts.
In a separate disclosure, Palo Alto Networks Unit 42 unveiled a distinct wave of attacks in December 2022 that employed a Python version of NodeStealer, with specific iterations tailored for cryptocurrency theft.
Recent findings from Netskope suggest that the Vietnamese threat actors responsible for these operations have likely resumed their attack efforts, potentially adopting tactics employed by other threat actors with similar objectives operating within the country.
Just this week, Guardio Labs highlighted a new technique wherein fraudulent messages are distributed via Facebook Messenger, originating from a botnet comprised of fake and hijacked personal accounts. These messages are being utilized to deliver ZIP or RAR archive files containing the NodeStealer malware to unsuspecting recipients.
This modus operandi serves as the primary means of initial infection, wherein RAR files hosted on Facebook’s content delivery network (CDN) are distributed. The attackers employ bait in the form of images depicting defective products to entice owners or administrators of Facebook business pages into downloading the malicious payload.
Once executed, these archives execute a batch script that opens the Chrome web browser, directing the victim to a benign webpage. In the background, a PowerShell command is executed to retrieve additional payloads, including the Python interpreter and the NodeStealer malware.
NodeStealer, in addition to capturing login credentials and cookies from various web browsers, is designed to gather system metadata and exfiltrate this information via the Telegram messaging platform.
Compared to earlier iterations, the latest NodeStealer variant utilizes batch files to download and execute Python scripts, enabling the theft of credentials and cookies from multiple browsers and websites.
Michael warns that this campaign may serve as a precursor to more targeted attacks in the future, as the attackers have already obtained valuable information. With stolen Facebook cookies and credentials, threat actors can seize control of compromised accounts and carry out fraudulent transactions, leveraging the legitimacy of the affected businesses.
CyberSec84 | Cybersecurity news. 
Leave a comment