Cybersecurity researchers reported discovering a previously unknown phishing campaign distributing two variants of an infostealer written in Python targeting Facebook business accounts.
Researchers at Palo Alto Network’s Unit 42 reported Tuesday that they uncovered the Python variants of the NodeStealer malware while investigating the growing trend of threat actors targeting Facebook business accounts with phishing lures using business tools such as spreadsheet templates.
Meta described NodeStealer in a May post, saying the malware written in JavaScript allowed threat actors to steal browser cookies to hijack accounts on the platform.
The Python versions improved upon the original by adding cryptocurrency stealing capabilities, downloader capabilities and the ability to fully take over Facebook business accounts.
"NodeStealer poses great risk for both individuals and organizations," wrote Unit 42's Lior Rochberger. "Besides the direct impact on Facebook business accounts, which is mainly financial, the malware also steals credentials from browsers, which can be used for further attacks."
Unit 42 researchers said the campaign dates to December 2022, but is no longer active. However, the researchers also think the threat actors behind the attacks will continue to evolve NodeStealer or use similar techniques to continue to target Facebook business accounts.
Variant No. 1 was a “word.exe” file named “Peguis,” and performed multiple processes, including stealing Facebook business account information, downloading additional malware, disabling Windows Defender, and stealing from the MetaMask cryptocurrency wallet.
Variant No. 2 was internally named “MicrosofOffice.exe,” and also targets account info and MetaMask wallets. Where it differs from the first variant is that it attempts to take over the Facebook account, implements anti-analysis features and steals emails.
NodeStealer and Ducktail, another infostealer, are suspected to originate from Vietnam-based threat actors.
