KEY FINDINGS
- Palo Alto Networks’ Unit 42 identified and reported NodeStealer 2.0.
- The Python-based malware steals crypto, Facebook and browser data.
- It spreads through phishing, masquerading as advertising opportunities.
- NodeStealer 2.0 campaign originated in Vietnam.
Phishing scams targeting Facebook business accounts to conduct advertising frauds or account takeovers are on the rise, which is a concerning trend. Recently Hackread published MalwareBytes’ Jerome Segura’s research on fake Meta ad managers and Chrome extensions allowing attackers to lure business account holders into making ad investments to increase sales revenues.
Now Palo Alto Networks’ Unit 42 researchers have shared details of a new phishing attack distributing a brand-new version of a deadly information stealer NodeStealer. This new version is dubbed NodeStealer 2.0, which also targets Facebook business accounts. Researchers believe this trend of targeting Facebook business accounts started in July 2022 with the emergence of the Ducktail infostealer.
NodeStealer malware was detected and taken down by Meta in May 2023. It could steal browser cookies to hijack Facebook business accounts, commendably perform ad frauds, steal account credentials and download additional payloads, etc.
In this campaign, the attack chain starts with a phishing lure, for instance, offering tools like spreadsheet templates for businesses. Previously, we have seen ChatGPT-inspired scams offering malicious extensions to business account users.
NodeStealer 2.0r is similar to its predecessor, using phishing tactics to lure users and distributing malware-infected executable files in the guise of advertising opportunities. Victims are lured into downloading a .ZIP file from reputable Cloud file storage providers to gain their trust, but they get their devices infected.
According to Unit 42’s report, NodeStealer 2.0 has additional features such as downloader and cryptocurrency stealing capabilities and a complete takeover of Facebook business accounts. The first attack in which NodeStealer 2.0 was used was discovered in December 2022, mainly targeting Facebook pages.
It is worth noting that both versions (named by Unit 42 as Variant 1 and Variant 2) are written in Python language. NodeStealer 2.0 posed as Microsoft Corporation and can steal emails, Facebook accounts, and even boasts anti-analysis features.
The second variant of the infostealer in the campaign was internally named MicrosofOffice.exe and was compiled with Nuitka, the same as the first variant. Unlike the first variant, it does not generate a lot of activity visible to the unsuspecting user. For this variant, the threat actor used the product name “Microsoft Coporation” (originally misspelled by the malware authors).
Lior Rochberger – Palo Alto Networks’ Unit 42
NodeStealer 2.0 campaign originated in Vietnam, and as per researchers, it is no more active. The Vietnamese link was identified because previous campaigns involving Ducktail and NodeStealer were launched by threat actors based in Vietnam.
However, it could be part of a larger campaign where attackers are using different methods to target Facebook business account holders for monetary gains. NodeStealer 2.0 seems a continuation of the same agenda, which can cause huge financial losses for organizations, and users get exposed to additional threats due to credential leaks, apart from reputational damage.
Visit this link to check out the indicators of compromise. This is becoming a raging threat; therefore, organizations and Facebook business account holders must remain cautious while downloading executables. Using strong passwords with MFA and training employees to detect phishing lures can prove crucial in safeguarding your privacy and data on social media.