NodeStealer Malware Now Targets Facebook Business Accounts on Multiple Browsers

Cyber Security Threat Summary:
An ongoing campaign is targeting Facebook Business accounts with bogus messages to harvest victims' credentials using a variant of the Python-based NodeStealer and potentially take over their accounts for follow-on malicious activities. ‘The attacks are reaching victims mainly in Southern Europe and North America across different segments, led by the manufacturing services and technology sectors,’ Netskope Threat Labs researcher Jan Michael said in an analysis published Thursday. First documented by Meta in May 2023, NodeStealer originated as a JavaScript malware capable of pilfering cookies and passwords from web browsers to compromise Facebook, Gmail, and Outlook accounts. Palo Alto Networks Unit 42, last month, revealed a separate attack wave that took place in December 2022 using a Python version of the malware, with select iterations also designed to conduct cryptocurrency theft. The latest findings from Netskope suggest the Vietnamese threat actors behind the operation have likely resumed their attack efforts, not to mention adopt tactics used by other adversaries operating out of the country with the same objectives” (The Hacker News, 2023).

Security Officer Comments:
The latest NodeStealer variant was observed being hosted on the Facebook CDN and sent to victims as an attachment via Facebook messages. According to Netskope, the actors are using images of defective products to convince admins of targeted business pages to download the malware payload. In this case, the admins are asked to open an RAR file that contains a batch file. When the victim runs this batch file, it will open the Chrome browser and direct the victim to a benign web page. At the same time, several files are downloaded in the background using Powershell, including two zip files, Document[.]zip and 4HAI[.]zip. contains a Python interpreter and its required DLLs and libraries, while contains the malware payloads, including NodeStealer. For its part, once executed, the latest NodeStealer variant will begin to steal credentials, regardless of whether it is from Facebook or not, from various browsers, including Microsoft Edge, Brave, Opera, Firefox, etc. Similar to previous variants, the data harvested is then exfiltrated using Telegram.

Suggested Correction(s):
(Netskope) The malicious files described in the post are distributed via social media applications. Being mindful of URL links or attachments received even from known sources can help prevent users from being victims of this campaign.

Netskope Threat Labs recommends that organizations review their security policies to ensure that they are adequately protected against these and similar phishing pages and scams. Other recommendations include:

Inspect all HTTP and HTTPS traffic, including all web and cloud traffic, to prevent users from visiting malicious websites. Netskope customers can configure their Netskope NG-SWG with a URL filtering policy to block known phishing and scam sites, and a threat protection policy to inspect all web content to identify unknown phishing and scam sites using a combination of signatures, threat intelligence, and machine learning.