Palo Alto Network Unit 42 discovered a previously unreported phishing campaign that distributed a Python variant of the NodeStealer. The malicious code was designed to take over Facebook business accounts and steal funds from cryptocurrency wallets. Since December 2022, the experts observed threat actors targeting Facebook business accounts with a phishing lure offering tools such as spreadsheet templates for business.
NodeStealer is a new information-stealing malware distributed on Meta that allows stealing browser cookies to hijack accounts on multiple platforms, including Facebook, Gmail, and Outlook.
The malware was first spotted in late January 2023 while targeting the browsers of Windows systems. It can target multiple web browsers, including Google Chrome, Microsoft Edge, Brave, and Opera.
In May, the social network giant took action to disrupt the malware campaign and support victims in recovering their accounts.
“However, the new campaign involved two variants written in Python, improved with additional features to benefit the threat actors. The threat actor equipped these variants with cryptocurrency stealing capabilities, downloader capabilities and the ability to fully take over Facebook business accounts.” reads the analysis published by Palo Alto Networks.
NodeStealer represents a serious threat to both individuals and organizations, it is also able to steal credentials from browsers that can be used for further attacks.
The phishing messages include a download link that points to a .zip archive hosted on a known cloud file storage provider such as Google Drive. The .zip file contains the malicious infostealer executable.
The first variant detected by Palo Alto Networks supports multiple capabilities such as stealing Facebook business account information, downloading additional malware, disabling Windows Defender via GUI (graphical user interface), and stealing funds from the MetaMask cryptocurrency wallet using stolen credentials from Google Chrome, Edge, Cốc Cốc, Brave and Firefox web browsers.
Upon executing the malware, it checks if there is a Facebook business account logged in to the default browser on the infected machine by connecting to https://business.facebook.com/ads/ad_limits/ and checking the header.
In the presence of a Facebook business account logged in, the malware connects to the Graph API – graph.facebook.com – with the user ID and the access token stolen from the header.
NodeStealer steals multiple information about the target, including followers count, user verification status, account credit balance, if the account is prepaid, and ads information.
The second variant discovered by Unit 42 supports additional features, such as parsing emails from Microsoft Outlook, data exfiltration via Telegram, taking over the Facebook account, anti-analysis capabilities.
Below are the differences between the two variants:
“Analyzing the two variants revealed some interesting behavior of the malware that includes doing much more than its original intentions, all likely to increase the potential profit for the threat actor.” concludes the report. “The threat actor, who is suspected to be of Vietnamese origin, provided the new variants with cryptocurrency stealing capabilities, downloader capabilities and the ability to fully take over Facebook business accounts. The potential damage for both individuals and organizations can be reflected not only in financial loss, but also in reputation damage for a target.”
(SecurityAffairs – hacking, NodeStealer)