In this article, you will learn how Facebook Business Accounts are Hacked in the NodeStealer Credential Harvesting Campaign.
An ongoing campaign is sending fraudulent messages to Facebook Business accounts in order to collect victims’ credentials and potentially take over their accounts for further malicious activity using a variant of the Python-based NodeStealer.
What is NodeStealer
NodeStealer was discovered by Meta in May 2023 as a JavaScript malware capable of stealing cookies and passwords from online browsers in order to hack Facebook, Gmail, and Outlook accounts.
Last month, Palo Alto Networks Unit 42 discovered a separate attack wave that occurred in December 2022 utilising a Python version of the malware, with select versions also designed to steal cryptocurrency.
According to Netskope‘s newest findings, the Vietnamese threat actors behind the operation have likely renewed their attack activities, as well as adopted strategies used by other adversaries operating out of the nation with similar goals.
Guardio Labs revealed earlier this week how a botnet of phoney and hijacked personal accounts is being used to transmit ZIP or RAR archive files containing stealer malware to unsuspecting victims via Facebook Messenger.
How the Facebook Business accounts hacked
The same method is used by the NodeStealer intrusion chains to spread RAR files placed on Facebook’s content delivery network (CDN).
“Images of defective products were used as bait to convince owners or admins of Facebook business pages to download the malware payload,” Michael explained.
These archives contain a batch script that, when run, launches the Chrome web browser and redirects the victim to a safe web page. However, a PowerShell operation is executed in the background to download further payloads, including the Python interpreter and the NodeStealer malware.
- Facebook Messenger Phishing Attack Unleashes Python-Based Stealer Malware
- Institutional-Grade Web3 Wallet: Secure NFTs and DeFi Investments | NetMantram
- Breaking News: Mozilla Fixes Zero-Day Vulnerability in Firefox and Thunderbird
Besides stealing credentials and cookies – whether from Facebook or – from various web browsers, the stealer is meant to collect system metadata and exfiltrate it.
What is the New Variant of NodeStealer Python Variant
“Unlike previous variants, the new NodeStealer variant uses batch files to download and run Python scripts, as well as steal credentials and cookies from multiple browsers and websites,” Michael explained.
“Because they have already gathered useful information, this campaign could pave the way for a more targeted attack later on.” Attackers with stolen Facebook cookies and credentials can utilize them to take over the account and conduct fraudulent transactions through the real business page.”
Keywords: NodeStealer Python variant, Facebook Business account attacks, Credential theft campaign
How to Protect Your Online Banking Accounts from Cyber Attacks