An unreported phishing campaign that disseminated a Python version of the NodeStealer has been found.
NodeStealer gave threat actors the ability to steal browser cookies and use them to hijack users’ accounts on the platform, with a focus on business accounts.
The malware was first detected as attacking Windows system browsers in late January 2023. Google Chrome, Microsoft Edge, Brave, and Opera are just a few of the online browsers it may attack.
When Palo Alto Networks looked into the developing pattern, it was discovered that there was an unreported campaign that began around December 2022.
An attempt was made to target Facebook business accounts by using a phishing lure that offered tools like spreadsheet templates for businesses.
The NodeStealer variation compiled in July 2022 that Meta analyzed that was built in JavaScript has many similarities to the info stealer delivered throughout the campaign.
The new campaign, however, included two Python-coded variations that had been enhanced with new capabilities to aid threat actors.
These versions were given downloader capabilities, the capacity for the threat actor to take over Facebook business accounts, and the ability to steal cryptocurrency.
“NodeStealer poses a great risk for both individuals and organizations.
Besides the direct impact on Facebook business accounts, which is mainly financial, the malware also steals credentials from browsers, which can be used for further attacks”, researchers said.
Deep Dive Analysis Of The Malware
The primary focus of the phishing campaign, which took place in or around December 2022, was businesses’ advertising materials.
The threat actor posted content on several Facebook pages and users to entice victims to click a link from well-known cloud file storage services.
After clicking on it, an a.zip file containing the malicious info stealer executable was downloaded to the computer.
According to the reports, the first variant discovered supports several capabilities, including the ability to steal credentials from Google Chrome, Edge, Cc Cc, Brave, and Firefox web browsers.
Also,, access a victim’s Facebook Business account, download additional malware, disable Windows Defender via GUI, and steal funds from the MetaMask cryptocurrency wallet.
When malware executes, it connects to https://business.facebook.com/ads/ad_limits/ and looks at the header to see if a Facebook business account is currently signed in to the machine’s default browser.
The malware uses the user ID and access token taken from the header to establish a connection to the Graph API at graph.facebook.com when a Facebook business account is signed in.
NodeStealer takes various kinds of data about the target, such as the number of followers, the state of user authentication, the account credit balance if the account is prepaid, and information about advertisements.
Unit 42 found a second variation that has other functionality, including processing emails from Microsoft Outlook, data exfiltration over Telegram, hijacking a Facebook account, and anti-analysis capabilities.
Unlike the first variation, the second variant does not produce a lot of activity that is evident to the unwary user. The threat actor used the product name “Microsoft Corporation” for this variation.
“Both Ducktail and NodeStealer were previously suspected by Meta to originate from threat actors based in Vietnam”, researchers.
As a result, analyzing the two versions showed some unusual malware behavior, including accomplishing considerably more than its initial aims, all of which are likely to improve the threat actor’s potential profit.
Owners of Facebook business accounts are advised to use strong passwords and enable multifactor authentication.
