Compromised Facebook business accounts have become a means to disseminate deceptive advertisements that employ “explicit images of young women” to lure victims into downloading an updated version of NodeStealer, a malware strain. Bitdefender recently published a report shedding light on this alarming development.
When individuals click on these ads, an archive containing a malicious .exe file masquerading as a ‘Photo Album’ is immediately downloaded. Subsequently, a second executable, written in .NET, is dropped on the victim’s device. This secondary payload is responsible for pilfering browser cookies and passwords, amplifying the cyber threat.
NodeStealer initially came to the public’s attention when Meta disclosed it in May 2023. It’s a JavaScript-based malware created to facilitate the takeover of Facebook accounts. Since then, the threat actors behind this operation have employed a Python-based variant in their attacks.
This malware is a part of the growing cybercrime landscape in Vietnam, where various threat actors are employing overlapping tactics, primarily relying on Facebook advertising as a propagation vector.
The recent campaign discovered by the Romanian cybersecurity firm adheres to this pattern, using malicious ads to compromise Facebook accounts. Meta’s Ads Manager tool is actively manipulated in these campaigns, primarily targeting male users on Facebook aged 18 to 65 in Europe, Africa, and the Caribbean. The most affected demographic group is males aged 45 and above.
In addition to disguising malicious executables as photo albums, these attacks have expanded to target regular Facebook users. The executables are hosted on legitimate websites, further obscuring their malicious nature.
The ultimate objective of these attacks is to use stolen cookies to circumvent security mechanisms, such as two-factor authentication, and change the victims’ passwords, essentially locking them out of their own accounts.
The researchers note that this type of malicious attack allows cybercriminals to operate stealthily, evading Meta’s security defenses, whether their aim is to steal money or scam new victims through compromised accounts.
In a related development, Cisco Talos has exposed several scams targeting users of the Roblox gaming platform. These scams employ phishing links to capture users’ credentials and steal Robux, an in-app currency used for avatars and special abilities in the game.
This trend continues with CloudSEK’s discovery of a two-year data harvesting campaign in the Middle East, involving approximately 3,500 fake domains associated with real estate properties in the region. The campaign’s goal is to collect information about buyers and sellers and distribute this data on underground forums.
CyberSec84 | Cybersecurity news. 
Leave a comment