Thursday, June 20, 2024

Users of Facebook for Business are the Target of a New Phishing Attack

An unreported phishing campaign that disseminated a Python version of the NodeStealer has been found.

NodeStealer gave threat actors the ability to steal browser cookies and use them to hijack users’ accounts on the platform, with a focus on business accounts.

The malware was first detected as attacking Windows system browsers in late January 2023. Google Chrome, Microsoft Edge, Brave, and Opera are just a few of the online browsers it may attack.

When Palo Alto Networks looked into the developing pattern, it was discovered that there was an unreported campaign that began around December 2022.

An attempt was made to target Facebook business accounts by using a phishing lure that offered tools like spreadsheet templates for businesses.

The NodeStealer variation compiled in July 2022 that Meta analyzed that was built in JavaScript has many similarities to the info stealer delivered throughout the campaign.

The new campaign, however, included two Python-coded variations that had been enhanced with new capabilities to aid threat actors.

These versions were given downloader capabilities, the capacity for the threat actor to take over Facebook business accounts, and the ability to steal cryptocurrency.

“NodeStealer poses a great risk for both individuals and organizations.

Besides the direct impact on Facebook business accounts, which is mainly financial, the malware also steals credentials from browsers, which can be used for further attacks”, researchers said.

Deep Dive Analysis Of The Malware

The primary focus of the phishing campaign, which took place in or around December 2022, was businesses’ advertising materials.

The threat actor posted content on several Facebook pages and users to entice victims to click a link from well-known cloud file storage services.

After clicking on it, an file containing the malicious info stealer executable was downloaded to the computer.

Luring victims to download a malicious link

According to the reports, the first variant discovered supports several capabilities, including the ability to steal credentials from Google Chrome, Edge, Cc Cc, Brave, and Firefox web browsers.

Also,, access a victim’s Facebook Business account, download additional malware, disable Windows Defender via GUI, and steal funds from the MetaMask cryptocurrency wallet.

When malware executes, it connects to and looks at the header to see if a Facebook business account is currently signed in to the machine’s default browser.

The malware uses the user ID and access token taken from the header to establish a connection to the Graph API at when a Facebook business account is signed in.

NodeStealer takes various kinds of data about the target, such as the number of followers, the state of user authentication, the account credit balance if the account is prepaid, and information about advertisements.

Unit 42 found a second variation that has other functionality, including processing emails from Microsoft Outlook, data exfiltration over Telegram, hijacking a Facebook account, and anti-analysis capabilities.

Unlike the first variation, the second variant does not produce a lot of activity that is evident to the unwary user. The threat actor used the product name “Microsoft Corporation” for this variation.

Difference between the variants

“Both Ducktail and NodeStealer were previously suspected by Meta to originate from threat actors based in Vietnam”, researchers.

As a result, analyzing the two versions showed some unusual malware behavior, including accomplishing considerably more than its initial aims, all of which are likely to improve the threat actor’s potential profit.

Owners of Facebook business accounts are advised to use strong passwords and enable multifactor authentication.

It is recommended to make an effort to educate your organization on phishing strategies, particularly modern, targeted approaches that focus on current events.

Keep yourself informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.


Latest articles

1inch partners with Blockaid to enhance Web3 security through the 1inch Shield

1inch, a leading DeFi aggregator that provides advanced security solutions to users across the...

Hackers Exploit Progressive Web Apps to Steal Passwords

In a concerning development for cybersecurity, hackers are increasingly leveraging Progressive Web Apps (PWAs)...

INE Security: Optimizing Teams for AI and Cybersecurity

2024 is rapidly shaping up to be a defining year in generative AI. While...

Threat Actor Claims Breach of Jollibee Fast-Food Gaint

A threat actor has claimed responsibility for breaching the systems of Jollibee Foods Corporation,...

Threat Actors Claiming Breach of Accenture Employee Data

Threat actors have claimed responsibility for a significant data breach involving Accenture, one of...

Diamorphine Rootkit Exploiting Linux Systems In The Wild

Threat actors exploit Linux systems because they are prevalent in organizations that host servers,...

Amtrak Data Breach: Hackers Accessed User’s Email Address

Amtrak notified its customers regarding a significant security breach involving its Amtrak Guest Rewards...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles