Friday, November 1, 2024
HomeCyber Security NewsUsers of Facebook for Business are the Target of a New Phishing...

Users of Facebook for Business are the Target of a New Phishing Attack

Published on

Malware protection

An unreported phishing campaign that disseminated a Python version of the NodeStealer has been found.

NodeStealer gave threat actors the ability to steal browser cookies and use them to hijack users’ accounts on the platform, with a focus on business accounts.

The malware was first detected as attacking Windows system browsers in late January 2023. Google Chrome, Microsoft Edge, Brave, and Opera are just a few of the online browsers it may attack.

- Advertisement - SIEM as a Service

When Palo Alto Networks looked into the developing pattern, it was discovered that there was an unreported campaign that began around December 2022.

An attempt was made to target Facebook business accounts by using a phishing lure that offered tools like spreadsheet templates for businesses.

The NodeStealer variation compiled in July 2022 that Meta analyzed that was built in JavaScript has many similarities to the info stealer delivered throughout the campaign.

The new campaign, however, included two Python-coded variations that had been enhanced with new capabilities to aid threat actors.

These versions were given downloader capabilities, the capacity for the threat actor to take over Facebook business accounts, and the ability to steal cryptocurrency.

“NodeStealer poses a great risk for both individuals and organizations.

Besides the direct impact on Facebook business accounts, which is mainly financial, the malware also steals credentials from browsers, which can be used for further attacks”, researchers said.

Deep Dive Analysis Of The Malware

The primary focus of the phishing campaign, which took place in or around December 2022, was businesses’ advertising materials.

The threat actor posted content on several Facebook pages and users to entice victims to click a link from well-known cloud file storage services.

After clicking on it, an a.zip file containing the malicious info stealer executable was downloaded to the computer.

Luring victims to download a malicious link

According to the reports, the first variant discovered supports several capabilities, including the ability to steal credentials from Google Chrome, Edge, Cc Cc, Brave, and Firefox web browsers.

Also,, access a victim’s Facebook Business account, download additional malware, disable Windows Defender via GUI, and steal funds from the MetaMask cryptocurrency wallet.

When malware executes, it connects to https://business.facebook.com/ads/ad_limits/ and looks at the header to see if a Facebook business account is currently signed in to the machine’s default browser.

The malware uses the user ID and access token taken from the header to establish a connection to the Graph API at graph.facebook.com when a Facebook business account is signed in.

NodeStealer takes various kinds of data about the target, such as the number of followers, the state of user authentication, the account credit balance if the account is prepaid, and information about advertisements.

Unit 42 found a second variation that has other functionality, including processing emails from Microsoft Outlook, data exfiltration over Telegram, hijacking a Facebook account, and anti-analysis capabilities.

Unlike the first variation, the second variant does not produce a lot of activity that is evident to the unwary user. The threat actor used the product name “Microsoft Corporation” for this variation.

Difference between the variants

“Both Ducktail and NodeStealer were previously suspected by Meta to originate from threat actors based in Vietnam”, researchers.

As a result, analyzing the two versions showed some unusual malware behavior, including accomplishing considerably more than its initial aims, all of which are likely to improve the threat actor’s potential profit.

Owners of Facebook business accounts are advised to use strong passwords and enable multifactor authentication.

It is recommended to make an effort to educate your organization on phishing strategies, particularly modern, targeted approaches that focus on current events.

Keep yourself informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...