NodeStealer Malware Hijacking Facebook Business Accounts for Malicious Ads

Compromised Facebook business accounts are being used to run bogus ads that employ “revealing photos of young women” as lures to trick victims into downloading an updated version of a malware called NodeStealer.

“Clicking on ads immediately downloads an archive containing a malicious .exe ‘Photo Album’ file which also drops a second executable written in .NET – this payload is in charge of stealing browser cookies and passwords,” Bitdefender said in a report published this week.

NodeStealer was first disclosed by Meta in May 2023 as a JavaScript malware designed to facilitate the takeover of Facebook accounts. Since then, the threat actors behind the operation have leveraged a Python-based variant in their attacks.

The malware is part of a burgeoning cybercrime ecosystem in Vietnam, where multiple threat actors are leveraging overlapping methods that primarily involve advertising-as-a-vector on Facebook for propagation.

The latest campaign discovered by the Romanian cybersecurity firm is no different in that malicious ads are used as a conduit to compromise users’ Facebook accounts.

“Meta’s Ads Manager tool is actively exploited in these campaigns to target male users on Facebook, aged 18 to 65 from Europe, Africa, and the Caribbean,” Bitdefender said. “The most impacted demographic is 45+ males.”

Besides distributing the malware via Windows executable files disguised as photo albums, the attacks have expanded their targeting to include regular Facebook users. The executables are hosted on legitimate.

The ultimate goal of the attacks is to leverage the stolen cookies to bypass security mechanisms like two-factor authentication and change the passwords, effectively locking victims out of their own accounts.

“Whether stealing money or scamming new victims via hijacked accounts, this type of malicious attack allows cybercrooks to stay under the radar by sneaking past Meta’s security defenses,” the researchers said.

Earlier this August, HUMAN disclosed another kind of account takeover attack dubbed Capra aimed at betting platforms by using stolen email addresses to determine registered addresses and sign in to the accounts.

The development comes as Cisco Talos detailed several scams that target users of the Roblox gaming platform with phishing links that aim to capture victims’ credentials and steal Robux, an in-app currency that can be used to purchase upgrades for their avatars or buy special abilities in experiences.

“‘Roblox’ users can be targeted by scammers (known as ‘beamers’ by ‘Roblox’ players) who attempt to steal valuable items or Robux from other players,” security researcher Tiago Pereira said.

“This can sometimes be made easier for the scammers because of “Roblox’s” young user base. Nearly half of the game’s 65 million users are under the age of 13 who may not be as adept at spotting scams.”

It also follows CloudSEK’s discovery of a two-year-long data harvesting campaign occurring in the Middle East via a network of about 3,500 fake domains related to real estate properties in the region with the goal of collecting information about buyers and sellers, and peddling the data on underground forums.