Palo Alto Networks Unit 42 found a new phishing campaign distributing a Python variant of NodeStealer. The code aims to seize Facebook business accounts and steal cryptocurrency funds.
The threat actors began targeting these accounts since December 2022, using phishing lures like business spreadsheet templates.
NodeStealer
Meta had previously reported an earlier form in May. The new Python version is more potent, capable of stealing cryptocurrencies and data from Telegram. This discovery adds to the increasing number of phishing attacks targeting Facebook accounts.
In May, Meta revealed a custom Javascript malware that includes the Node.js environment. The malware can run on various operating systems like Windows, Linux, and macOS due to its use of Node.js. It is believed to originate from Vietnam, and threat actors from the same region were thought to be responsible for distributing it.
In response, Meta took steps to disrupt the malware campaign and help affected users recover their accounts.
NodeStealer poses a significant danger to both individuals and organizations, as it can steal credentials from web browsers for potential future attacks.
The phishing messages contain a download link leading to a .zip archive hosted on familiar cloud file storage services like Google Drive. Inside the .zip file lies the malicious infostealer executable.
The initial variant discovered by Palo Alto Networks has several capabilities. It can steal Facebook business account details, download additional malware, disable Windows Defender using a graphical user interface (GUI), and pilfer funds from MetaMask cryptocurrency wallets using credentials stolen from web browsers like Google Chrome, Edge, Cốc Cốc, Brave, and Firefox.
When the malware is executed, it checks if a Facebook business account is logged in to the default browser on the infected machine by connecting to https://business.facebook.com/ads/ad_limits/ and examining the header.
If a Facebook business account is found logged in, the malware then connects to the Graph API (graph.facebook.com) using the user ID and access token obtained from the header.
NodeStealer collects various information about the target, including follower count, user verification status, account credit balance, prepaid status, and ads details.
The second variant discovered by Unit 42 supports additional features, such as parsing emails from Microsoft Outlook, data exfiltration via Telegram, taking over the Facebook account, anti-analysis capabilities.
As a preventative measure, Anil Valluri from Palo Alto Networks suggests that companies closely review their cybersecurity policies and examine the reported indicators of compromise (IoCs) by Unit 42.
Leave A Comment