Palo Alto Networks’ Unit 42 in a blog post said it uncovered a phishing campaign distributing an infostealer known as NodeStealer 2.0.
Unlike its earlier version reported by Meta Platforms in May 2023, this variant poses a more significant threat, being written in Python, and has the ability to target Facebook business accounts to steal cryptocurrency and exfiltrate data via Telegram. This alarming discovery points to a concerning trend of threat actors increasingly targeting Facebook business accounts for both advertising fraud and financial gains.
The phishing campaign initially took place in December 2022, utilizing two malware variants dubbed Variant #1 and Variant #2. The attackers employed various Facebook pages and users to post deceptive information, luring victims into downloading a link from seemingly legitimate cloud file storage providers. Once clicked, a malicious .zip file containing the infostealer’s .exe files was downloaded onto the victim’s system. The infected posts and the link to download the malicious file have been identified and are being monitored.
Variant #1 of NodeStealer 2.0 operates in a “noisy” manner, generating multiple processes that raise abnormal activity indicators, such as closing pop-up windows on the graphical user interface (GUI). On the other hand, Variant #2 is far more discrete, making it difficult to identify malicious activity, making it an even more insidious threat.
Both variants possess the capability to steal Facebook business account credentials by connecting to the Meta Graph API using the victim’s user ID and access token. The Graph API serves as the primary method to extract and input data on Facebook, allowing attackers to programmatically retrieve vital account details, follower count, user verification status, and prepaid account status, among others. This stolen information is then transmitted to the command and control server (C2). Additionally, the malware attempts to pilfer login credentials by probing cookies and local databases of commonly used web browsers.
Variant #2 goes a step further and employs a cunning tactic by replacing the legitimate user’s email address with a mailbox under the control of the cyberattacker. This effectively locks the genuine user out of their account indefinitely, potentially leading to severe financial and reputational damages as attackers misuse the account credit or publish inappropriate content.
Anil Valluri, MD and VP for India and SAARC at Palo Alto Networks, commented on the seriousness of this threat. He highlighted that Facebook’s large user base, primarily comprising slightly older demographics who may be less tech-savvy, makes them easy targets for cybercriminals leveraging NodeStealer 2.0 and its variants for malicious purposes.
To defend against NodeStealer and its evolving variants, organizations are urged to review their protection policies and familiarize themselves with the provided indicators of compromise (IoCs) by Unit 42. Employing proactive measures to educate employees about modern phishing tactics that exploit current events, business needs, and other enticing topics is crucial in mitigating the risk posed by these sophisticated attacks.