Unit 42 researchers have uncovered another phishing campaign designed to take over Facebook business accounts using a newly identified infostealer variant.
This novel campaign, believed to be perpetrated by a threat actor of Vietnamese origin, is part of a growing trend of attackers targeting Facebook business accounts for advertising fraud and other purposes in the past year. The link to Vietnam is based on several factors, including many of the strings in the Python script being written in Vietnamese.
The good news is that this specific campaign is no longer believed to be active. However, Unit 42 said it has indications that the threat actors behind it will continue to use similar techniques to hijack Facebook business accounts going forward, “which poses great risk for both individuals and organizations.”
This includes financial losses and reputational damage for the target, as well as further attacks being launched using stolen credentials from the browsers.
The infostealer distributed in the campaign “shares multiple similarities” with the NodeStealer variant identified and taken down by Meta earlier in 2023. NodeStealer targeted individuals through malicious browser extensions, ads and social media platforms with the goal of running unauthorized ads from compromised business accounts.
The new infostealer variant uncovered by Unit 42 has additional features to benefit the threat actors, most notably cryptostealing and downloader capabilities, in addition to the ability to fully take over Facebook business accounts.
How ‘NodeStealer 2.0’ Works
The researchers said the primary method to target victims with the infostealer, which they referred to as ‘Nodestealer 2.0,’ was a phishing campaign that took place around December 2022. This was mainly centered around advertising materials for businesses, with multiple Facebook pages and users posting information luring victims to download a link from known cloud file storage providers.
When clicked, a .zip file containing the malicious infostealer executable would be downloaded to the user’s device.
The campaign used two variants of the malware, both written in Python, which Unit 42 named Variant #1 and Variant #2.
- Variant #1: This version creates multiple processes and performs “many actions that are considered as indications of abnormal activity,” such as pop-up windows presented to the user. Its capabilities include stealing Facebook business account information, downloading additional malware and cryptocurrency theft by accessing MetaMask credentials.
- Variant #2: Unlike Variant #1, this version does not generate a lot of activity visible to the target user, and the threat actor used the product name ‘Microsoft Corporation.’ It also goes beyond the capabilities of the other variant by attempting to take over the Facebook account, implementing anti-analysis features and stealing emails.
Facebook a Growing Target
Unit 42 said its analysis is part of a growing trend of threat actors targeting Facebook accounts. This first emerged in July 2022 with the discovery of a Vietnam-based hacking operation dubbed ‘Ducktail.’ In November 2022, the firm described new developments in the campaign, involving the targeting individuals and companies operating on Facebook's Ads and Business platform.
In March 2023, Guardio reported a new variant of a fake ChatGPT Chrome extension that was designed to steal Facebook session cookies.
As with Ducktail and NodeStealer, the latest malware discovered by Unit 42 is suspected to originate from threat actors based in Vietnam.
The Unit 24 blog post advised organizations with Facebook business accounts to review their protection policies and use indicators of compromise (IoCs) provided in the report to mitigate similar threats going forward.
“Facebook business account owners are encouraged to use strong passwords and enable multifactor authentication. Take the time to provide education for your organization on phishing tactics, especially modern, targeted approaches that play off current events, business needs and other appealing topics,” it read.
Image credit: BigTunaOnline / Shutterstock.com