HQ/EMEAFind out how we can help your business
Facebook and FB business accounts are again in danger after the emergence of two new variants of the notorious NodeStealer malware. Researchers claimed the two new variants were part of the phishing campaigns in December last year.
Currently, the malicious campaign is no longer operational, but researchers believe there could be lingering effects for previously infected entities.
The threat actors use various Facebook profiles and business pages to deploy the new variants of NodeStealer.
According to investigations, the attackers could launch the NodeStealer using numerous Facebook business pages and user profiles to post materials related to the post and endorse products relevant to the corresponding businesses of their targeted audience.
These endorsements could lure victims into downloading links from known cloud file storage providers. Subsequently, the potential victims could trigger the download sequence of a zip file that could execute the NodeStealer payload after clicking on the malicious link.
Threat analysts explained that malware developers coded the new NodeStealer variant in Python. These new variants could steal the users’ data by taking over their Facebook Business accounts.
Additionally, the two NodeStealer variants could download additional payloads. Steal browser information and maximise financial acquisition by stealing the Metamask credentials from browsers like Brave, Chrome, and Cốc Cốc, widely used in Vietnam.
Furthermore, the malware developers included multiple anti-analysis capabilities, such as deactivating Windows Defender to remain undetected during its infection process.
Researchers claimed that the threat actors from Vietnam are the operators of the new NodeStealer variants since the developers that adopted the Python scripts are in Vietnamese. The second proof of the attribution is that the attackers target the Cốc Cốc browser.
Lastly, the NodeStealer operators typically attempt to acquire an online mailbox service from a couple of Vietnamese websites, a feature linked with the second malware variant.
This new cybercriminal operation is the latest addition to the growing trend of threat actors that target Facebook accounts. These attacks could cause a financial and reputational dent in users or organisations that run a healthy social media page. Therefore, Facebook business account owners should use hard-to-guess passwords and adopt multifactor authentication protocols to mitigate the effects of such campaigns.
