Facebook
Image: Pixabay

New variants found of malware that targets Facebook business accounts

Researchers have uncovered a previously unreported phishing campaign that uses new variants of the NodeStealer malware.

Successful attacks can result in financial losses as well as reputation damage for a target, according to a report by Palo Alto Networks' Unit 42.

NodeStealer is designed to take over Facebook business accounts and steal cryptocurrency from MetaMask cryptocurrency wallets. Facebook’s parent, Meta, noted the threat from NodeStealer in May.

The Unit 42 researchers linked the latest campaign to an unidentified Vietnamese threat actor. The hackers targeted a Vietnamese browser named Cốc Cốc and used several strings of Vietnamese code in the malware. Meta’s previous report also noted a potential Vietnamese connection.

The attacks on Facebook business accounts are a growing trend among cybercriminals who exploit them for advertising fraud and other purposes, according to Unit 42.

The malware’s first variant was written in JavaScript and allowed hackers to steal browser cookies to hijack Facebook accounts. The two new NodeStealer variants discovered by Unit 42 were written in Python.

To gain access to target systems, hackers used phishing links, tricking victims into downloading files that contained the malicious infostealer, Unit 42 said.

Once the malware is executed, it checks for any logged-in Facebook business accounts in the default browser and proceeds to hack them. It steals various information about the target, such as their follower count, user verification status, account credit balance and ad information.

The malware also tries to steal MetaMask crypto wallet credentials from the Chrome, Cốc Cốc and Brave browsers. MetaMask, which is not associated with Meta, is based on the Ethereum blockchain and is intended to interact with decentralized finance (DeFi) applications.

The second variant of NodeStealer can also read the victim's emails, probably to disrupt any Facebook alerts that would notify the victim of configuration changes.

While the campaign using the two new NodeStealer variants is no longer active, researchers say that the threat actors may continue improve the malware to target Facebook business accounts.

“It is also possible that there may be ongoing effects for previously compromised organizations,” the researchers said.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.